Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3737776img; Mon, 25 Mar 2019 17:11:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqyrVQDCzLgKw40B0QubpJRvuzfacZPkEP1KOeWK2Bk8MlXIzh0aPy5cNk09nXMD7FCvGQ1Q X-Received: by 2002:a63:1f52:: with SMTP id q18mr26322383pgm.134.1553559066212; Mon, 25 Mar 2019 17:11:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553559066; cv=none; d=google.com; s=arc-20160816; b=t2O9nl0lYKHXm+TWGnd0DQzX7Hlo6P6Pp6evFWNQgjz+TuTMr4/E5Wy0Xu+4BxtqBf lWm1SFVtDz5c7SxYgOoEbuDI3Z33zhy2nq1GqQtRVY1RTw9ujvPcwcTUTT4KHChCooN/ NI9UUB3iSAMyglWzfNHcbYP2VitcXG9CwrpD/W2GwagmDKFMArmiwHNhwMCfkznmAr9i xpQKkuFxw7XHJtoQAhGESmCnThiT/VGxdEdenqhiJ3UTNNQIzRXTGxYeuspMFDrcgF27 K5Hrr5mAdhWHmQOtRMh5c7/1YgWwavMCoZhO24uTDK2ZT4nBJ8sEyt0ERWbj0Lg5d7wv QU5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=oU71lUpe6PEeGxSap37OwFQx2sG6rn/f7YLeCy33BYs=; b=hoAugXUbe93TyH0gwWSCgxeQssc1xFCsaj8iSM3t6BJ5WWsayFvKU1yULXX0muWu6n kjphDGmZB84jb/hMsAo8lMdtd6zHle/tq/VRqspOlAoVnt1Ac3u1tVl9UY64LmnAtM4u lEJytnmyR1Ii/V3bm7xwrLyIMLdxTzx/j7bJzPgSgj4jJuiRjvst/YbKSn3Nyg0stPNp +IMBNWLEA/Yy+VvUflw1xLOel8EpqkgygWhNqdghId3bnOfxkt2mPmF6+f7hIOcjdxYw qo8DMu6pmhyNW71372Xyp3nvPAzhmEjv4bhAqQh92sxuSiZr5P5YS5Xjikp3ywLZ3IO1 DvoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=B7NlvGMO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r13si14921648pgr.213.2019.03.25.17.10.50; Mon, 25 Mar 2019 17:11:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=B7NlvGMO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727584AbfCZAKO (ORCPT + 99 others); Mon, 25 Mar 2019 20:10:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:57314 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726616AbfCZAKN (ORCPT ); Mon, 25 Mar 2019 20:10:13 -0400 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BB42220879 for ; Tue, 26 Mar 2019 00:10:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553559013; bh=WMJRBKlNDw38qp/1xuZqDu2eoQ4xMd5LQSfiiy6YFr8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=B7NlvGMOjuZ7UVPpSMgBRR9mAWUkSs9L7iOc/zLf4xTZqrL5HsqaurthuT7JVwX+v cEMhgwQ+D5PQieYNWFfBrVYqcuf2TlNlyBOTLxBX5GNH76xEZ93nqRThYZ2HGNc5bF h90lkF9LduKTnm6cylywmHcEBpOEBr09bAlW3JHc= Received: by mail-wm1-f47.google.com with SMTP id 4so10765733wmf.1 for ; Mon, 25 Mar 2019 17:10:12 -0700 (PDT) X-Gm-Message-State: APjAAAWslpkTznIA2m99SS/Dt0tFLhO+lOZBRNxWC7j7ySjOgZpQyVGH Ew4BSq+rgiO0B/GqlaLLsWFE/x5AL2CFvX1YMJ9Skg== X-Received: by 2002:a1c:e188:: with SMTP id y130mr6750289wmg.83.1553559011275; Mon, 25 Mar 2019 17:10:11 -0700 (PDT) MIME-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> <20190325220954.29054-24-matthewgarrett@google.com> <20190325164221.5d8687bd@shemminger-XPS-13-9360> In-Reply-To: <20190325164221.5d8687bd@shemminger-XPS-13-9360> From: Andy Lutomirski Date: Mon, 25 Mar 2019 17:10:00 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down To: Stephen Hemminger , Linux API Cc: Matthew Garrett , James Morris , LSM List , LKML , David Howells , Alexei Starovoitov , Network Development , Chun-Yi Lee , Daniel Borkmann , Kees Cook , Will Drewry Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 25, 2019 at 4:42 PM Stephen Hemminger wrote: > > On Mon, 25 Mar 2019 15:09:50 -0700 > Matthew Garrett wrote: > > > From: David Howells > > > > There are some bpf functions can be used to read kernel memory: > > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > > private keys in kernel memory (e.g. the hibernation image signing key) to > > be read by an eBPF program and kernel memory to be altered without > > restriction. > > > > Completely prohibit the use of BPF when the kernel is locked down. > > > > Suggested-by: Alexei Starovoitov > > Signed-off-by: David Howells > > cc: netdev@vger.kernel.org > > cc: Chun-Yi Lee > > cc: Alexei Starovoitov > > Cc: Daniel Borkmann > > Signed-off-by: Matthew Garrett > > Wouldn't this mean that Seccomp won't work in locked down mode? I wasn't cc'd on this series, nor was linux-api, so it's awkward to review. A while back, I suggested an approach to actually make this stuff mergeable: submit a patch series that adds lockdown mode, enables it by command line option (and maybe sysctl) *only* and has either no effect or only a token effect. Then we can add actual features to lockdown mode one at a time and review them separately. And I'm going to complain loudly unless two things change about this whole thing: 1. Lockdown mode becomes three states, not a boolean. The states are: no lockdown, best-effort-to-protect-kernel-integrity, and best-effort-to-protect-kernel-secrecy-and-integrity. And this BPF mess illustrates why: most users will really strongly object to turning off BPF when they actually just want to protect kernel integrity. And as far as I know, things like Secure Boot policy will mostly care about integrity, not secrecy, and tracing and such should work on a normal locked-down kernel. So I think we need this knob. 2. All the proponents of this series, and the documentation, needs to document that it's best effort. There will always be security bugs, and there will always be things we miss. --Andy