Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3732282img; Mon, 25 Mar 2019 17:02:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqxCrHohNanQaLBIiUMVUVW2zuTIK0hfhIchwwkvNDtgy85TiBoVTJ+Xxl0qA+ibuh97Hw2v X-Received: by 2002:a63:cc0a:: with SMTP id x10mr13025463pgf.179.1553558578906; Mon, 25 Mar 2019 17:02:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553558578; cv=none; d=google.com; s=arc-20160816; b=a0rOevVgZFn5bttcJXDuZFxggmjme3MDmSCyV3N/R64iyAPLhkPCuNzP/YBK4F1G6p 5+Sh4dTlg076KQqJRhLX+EDLCZB/tAYywmqSnE79ySJfBOnF5dPEGs1DMMpkPJqcJOqm WFcW865sddcRsIIkNRYTqxevqnUGYSdfDp3aPKRjuucUHcp3Wgs6rVHvxpMOvdKOyDPw uosHBdiEuqa1NmAfrs9rCzNdlz4FZcopCWhXpnazmpSCztkbtN5KYw3lhnbN1nZzUbX3 aLywCOezS+9z1SF3+ryh09rvlyjGHJese93+bqs49y3rT7pHzUirfHiwlQ+kG0TX83ng E4CQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=qPPcrI0564nwycoxGW4epGue70J33YUdUjVWQ5z6Rw8=; b=l7PT2uLiuC2741iWFgccd4yq9no49yjXa7jRZlcQlHTLxngWedf5O0lpRZwy4h0UWH DsmhQcfqix+hnwRyls3OD8yiyZZEdoy6kAzCWc6DuKM0w5/RSJKMSdbN3tiPUyLTmbOj m1RIkApFOhPRN8vkHxukMzIj2o7aC4f2y0c2Nrjtj9w3K/QzycPiyksL6oacpRWPhosQ WwjOMh2ZGBek396gbMCDhmK1KkhR/VIOooOkjovxYy2D/DGWrtuXAIlwUlCtHi/PfEEj tH0N4XoGr8W3/6/MnU/W1I0MPIJbuwUr/iq0DYvR4qJzETtvqXnwPnDqnF0cOeZur1Q9 Muxg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b31si16044581plb.351.2019.03.25.17.02.43; Mon, 25 Mar 2019 17:02:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730459AbfCZAAg (ORCPT + 99 others); Mon, 25 Mar 2019 20:00:36 -0400 Received: from www62.your-server.de ([213.133.104.62]:38492 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730239AbfCZAAf (ORCPT ); Mon, 25 Mar 2019 20:00:35 -0400 Received: from [78.46.172.3] (helo=sslproxy06.your-server.de) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1h8ZW2-0003dX-5P; Tue, 26 Mar 2019 01:00:30 +0100 Received: from [178.197.248.24] (helo=linux.home) by sslproxy06.your-server.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1h8ZW1-000CGW-Uz; Tue, 26 Mar 2019 01:00:30 +0100 Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down To: Stephen Hemminger , Matthew Garrett Cc: jmorris@namei.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Alexei Starovoitov , netdev@vger.kernel.org, Chun-Yi Lee , Kees Cook , Andy Lutomirski , Will Drewry References: <20190325220954.29054-1-matthewgarrett@google.com> <20190325220954.29054-24-matthewgarrett@google.com> <20190325164221.5d8687bd@shemminger-XPS-13-9360> From: Daniel Borkmann Message-ID: <1cfa7345-c807-db76-f50a-ea3ba70f07b2@iogearbox.net> Date: Tue, 26 Mar 2019 01:00:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20190325164221.5d8687bd@shemminger-XPS-13-9360> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.100.2/25399/Mon Mar 25 08:46:48 2019) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/26/2019 12:42 AM, Stephen Hemminger wrote: > On Mon, 25 Mar 2019 15:09:50 -0700 > Matthew Garrett wrote: > >> From: David Howells >> >> There are some bpf functions can be used to read kernel memory: >> bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow >> private keys in kernel memory (e.g. the hibernation image signing key) to >> be read by an eBPF program and kernel memory to be altered without >> restriction. I'm not sure where 'kernel memory to be altered without restriction' comes from, but it's definitely a wrong statement. >> Completely prohibit the use of BPF when the kernel is locked down. In which scenarios will the lock-down mode be used? Mostly niche? I'm asking as this would otherwise break a lot of existing stuff ... I'd prefer you find a better solution to this than this straight -EPERM rejection. >> Suggested-by: Alexei Starovoitov >> Signed-off-by: David Howells >> cc: netdev@vger.kernel.org >> cc: Chun-Yi Lee >> cc: Alexei Starovoitov >> Cc: Daniel Borkmann >> Signed-off-by: Matthew Garrett > > Wouldn't this mean that Seccomp won't work in locked down mode? >