Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4298250img; Tue, 26 Mar 2019 06:55:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqwCKPY4iMXJTUoW4co8UO8ztXOvQxCLsqTM/pJknXaK8Wrc+y7tkI9Ty1QE8PKuq2NeapE/ X-Received: by 2002:aa7:914f:: with SMTP id 15mr29583684pfi.49.1553608547116; Tue, 26 Mar 2019 06:55:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553608547; cv=none; d=google.com; s=arc-20160816; b=gv9raipIZ7qaSg0qQP8B0p278z6y95+OVZj7zMldqb9dwPi4m7cfQrpsyoe7XQfGgW dm56lNidNImpBCu1Hozy8Uaq+6eg0887X0Mti48jH1aJ5bD/p2HUcQXo2Jh4KlklavAs WTJkUwsU8ukMx8BP7BCN/XQ/NMjSILlineCDqEokWQpy+dYELusLzkXAtezdIHgDoTO0 tfOkRZG6fKbEAwBlPYoZHLjofpMr6WK0e+HFqFBb61XE/l9kFxesKxp01Rnm7wCkIZNt yBhT4cg1/WN8akLnRVK2OB/wuNmxjuwWlsTZtlwZKF7dbbMuNwfzBnttd/CpAjrtbbJA M7Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc :from:to:dkim-signature:date; bh=I8leFMsO3HenGI6y3gSEwRSQNYsaL+xYNOArJrnCBa8=; b=tIXKvb4bDxZof65T6DfM08hiOfpU1L1jTZpnv4drK2/zH5Ad1q+6C+MS+ragnsJVTL hLchCckwG5Xmp4bHhHCSLhw4hMRiiD6MQCk1Nsr/oRuZncTt0UOgAZG52cxYRmZcyXCN jpRjBkSKFgcV9adF3oCLK14vBDg+28xjPeh/SgPhGkST5HB8aR9s0HfFzd4vBkPVF60A 34D9gnmKioZgOk3uAPPiY3Ljq8gbBJRpXt7A3orYC7ySs4pkuJ6V4kYCGyqNmbhoouIi HYea5p9KGQB3dG1g84/ZLCOtNi8yH3sOUtDAM60XGOfojpW2Rpk0h6zRv2pMdpGcyTpd 86gA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=VE5YyXLw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 25si16191540pgt.419.2019.03.26.06.55.31; Tue, 26 Mar 2019 06:55:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=VE5YyXLw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731699AbfCZNys (ORCPT + 99 others); Tue, 26 Mar 2019 09:54:48 -0400 Received: from mail-40136.protonmail.ch ([185.70.40.136]:34288 "EHLO mail-40136.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726140AbfCZNyq (ORCPT ); Tue, 26 Mar 2019 09:54:46 -0400 Date: Tue, 26 Mar 2019 13:54:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=default; t=1553608482; bh=I8leFMsO3HenGI6y3gSEwRSQNYsaL+xYNOArJrnCBa8=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=VE5YyXLwwdQ/jdwmp3i46uspjiatx32IOjjP4Ch/z+IY3VyPp3tq077jFsQ+mwsZB 7Iidu25AMuJLR1jqEwrbxAyxaF2bYUCcwaAK6NlpKKk/yGURNIOxP5jzWCYNWcmGJM GBhknS9fef0Qbyf4QE61EbPitO72vXlm3Ic0b8DE= To: Daniel Borkmann From: Jordan Glover Cc: Stephen Hemminger , Matthew Garrett , "jmorris@namei.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "dhowells@redhat.com" , Alexei Starovoitov , "netdev@vger.kernel.org" , Chun-Yi Lee , Kees Cook , Andy Lutomirski , Will Drewry Reply-To: Jordan Glover Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down Message-ID: In-Reply-To: <1cfa7345-c807-db76-f50a-ea3ba70f07b2@iogearbox.net> References: <20190325220954.29054-1-matthewgarrett@google.com> <20190325220954.29054-24-matthewgarrett@google.com> <20190325164221.5d8687bd@shemminger-XPS-13-9360> <1cfa7345-c807-db76-f50a-ea3ba70f07b2@iogearbox.net> Feedback-ID: QEdvdaLhFJaqnofhWA-dldGwsuoeDdDw7vz0UPs8r8sanA3bIt8zJdf4aDqYKSy4gJuZ0WvFYJtvq21y6ge_uQ==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.7 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday, March 26, 2019 12:00 AM, Daniel Borkmann = wrote: > On 03/26/2019 12:42 AM, Stephen Hemminger wrote: > > > On Mon, 25 Mar 2019 15:09:50 -0700 > > Matthew Garrett matthewgarrett@google.com wrote: > > > > > From: David Howells dhowells@redhat.com > > > There are some bpf functions can be used to read kernel memory: > > > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allo= w > > > private keys in kernel memory (e.g. the hibernation image signing key= ) to > > > be read by an eBPF program and kernel memory to be altered without > > > restriction. > > I'm not sure where 'kernel memory to be altered without restriction' come= s > from, but it's definitely a wrong statement. > > > > Completely prohibit the use of BPF when the kernel is locked down. > > In which scenarios will the lock-down mode be used? Mostly niche? I'm ask= ing > as this would otherwise break a lot of existing stuff ... I'd prefer you = find > a better solution to this than this straight -EPERM rejection. AFAIK this change breaks IPAddressAllow/IPAddressDeny usage in systemd serv= ices which makes them LESS secure. https://www.freedesktop.org/software/systemd/man/systemd.resource-control.h= tml https://github.com/systemd/systemd/blob/04d7ca022843913fba5170c40be07acf2ab= 5902b/README#L96 Jordan