Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp684369yba; Wed, 3 Apr 2019 17:35:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqw1bGdIXw+8Df/fYchfF/y9CxIxc/7RgOkSvcivr3i7ROFjODW9Ex+08HYjzJQKlaWzpVlB X-Received: by 2002:aa7:86ce:: with SMTP id h14mr2660797pfo.84.1554338111626; Wed, 03 Apr 2019 17:35:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554338111; cv=none; d=google.com; s=arc-20160816; b=JpL6hWuDS7XUDXQG8A1vistM/vy14QNgkY1yB+x5Zf/idQYZRcmvtmHN+m2hBcFQX7 0cfEaTEnf7BP0vHF4dVFh5yInkB+qVmTkBk41MkFfgxBMlAmwcq2QBbU0O8Ge0e7AUNe PzG5/EovzET37xxNDAVGwQvPgAW2U2dzZFE75fLDpPleX04gA0OJTmdnw/EvRL/z3QGd kmRvimQCW3/YeddA5p2aaC5RFX46/BpvPM2v6qXJNmLunJhYayDWBzBauWGd1vB7xiWC 9xkYf4uuqHoiY2ewApNKvec1sIOO5CkW64BIp77dtrJDTPJXYhNKElx1mYG+7+GfLnbl UK4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=U7A2vLFWP567Q+ftGgbEXazUyFCWE3wk3ASS9YVjYJbiBW4JCzk4jaOo0n6uAn9vz/ ptL/kIMipcoXBndLt1E4J9O30P+vWO6xBpVnEnjMND+cZnNHGWN3tYRNoCNZnk7Kn36A gh/+0u1egKqCM0GcPbqqnAD8+MxhmA+k77DWN+oofXRqe/nGlik3L6UNwQNWBS59XOSl kuphgdy8e2m4O3Yzbqo05qQBGNiRieq66BVIjVzS4laVrbUXEk9AZt2viM2505z/XR3M 8vtf7i4CKbuV6OvE9B1VEjYVTe4srcYhTh//3MouLIUSByeHB7nHVl0jG0yIVOt8j8Jd HmdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UNx4l+uY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y15si14886332plp.357.2019.04.03.17.34.56; Wed, 03 Apr 2019 17:35:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UNx4l+uY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728634AbfDDAdy (ORCPT + 99 others); Wed, 3 Apr 2019 20:33:54 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:45595 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728555AbfDDAdw (ORCPT ); Wed, 3 Apr 2019 20:33:52 -0400 Received: by mail-pg1-f201.google.com with SMTP id f1so354368pgv.12 for ; Wed, 03 Apr 2019 17:33:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=UNx4l+uYxC2/8yEfLLnvPjeztGUpZ/k17H1PH96tTx77KaMo+uQMxPkXWfsx5eLYVk W+ADfxCS0pWxwheheyJcmGu3LGPDQuiVdLB5xMb4rGnUR9rDa5ak0eiVcuL1XU0WQcod 71WBPtNkfHxrhFsr9Ijjqe9y2AaijksBWob6H1yicFYbfkWGTf6rRuXlqvdY+M2ObZwv N+822NfjdibPbg/am0i68cS9xk0C3hP4zbvmroCUl8NhECmm4eMpp1C7s2HxLq1bVsoP HLJ4iqdP7RM9qvbmiRle6HBquZ0gdJuk3WXukSMAP0IN3spUvTUIjPFxz/AOAV3jSkUt KBGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=N1O3EHo8zvecoE9ZAz1nd5Bh+/LdqcUkMFcIi3llMqTLbTE5e1gRztWm6mMBMPgrMU /R1yVwC2oK1oME4s2t2kI61Hk3ax3nlc6WacDHy+PWG8SBnoWFeu+uVmG00zwLngGDE2 QJFZKIT6o9LaYPbgLcaAdtqdcTF5Uuq2lf2wcMuFqCfQMJW27XGqEsXhEdLCxvkIXb1Q JcgSWdzVN361i8s3H/mwaZpJ9B1ZwwwR/KcV+7nmyjthZgVWiYKZCLMydYoFGW3jxvs1 M+Rqq157Fs4k1Mn7T+uArI8jz+IP3swBmuFdUWPCk444ZH97NXcFvSFU2BtPx0k1hV4b whPQ== X-Gm-Message-State: APjAAAUvLYP4Iw5ZlM0s7DkWv75sVClYzVGQIjou+315NHgYsNKt2vzo SpRDMlrA9bSQ4U6t4WYhZ8Jyw1RWeKIL/CwK3xdFIg== X-Received: by 2002:a17:902:280b:: with SMTP id e11mr104020plb.55.1554338031058; Wed, 03 Apr 2019 17:33:51 -0700 (PDT) Date: Wed, 3 Apr 2019 17:32:44 -0700 In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com> Message-Id: <20190404003249.14356-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190404003249.14356-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V32 22/27] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann --- kernel/trace/bpf_trace.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 8b068adb9da1..9e8eda605b5e 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -137,6 +137,9 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) memset(dst, 0, size); @@ -156,6 +159,8 @@ static const struct bpf_func_proto bpf_probe_read_proto = { BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, u32, size) { + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; /* * Ensure we're in user context which is safe for the helper to * run. This helper has no business in a kthread. @@ -207,6 +212,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, char buf[64]; int i; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * bpf_check()->check_func_arg()->check_stack_boundary() * guarantees that fmt points to bpf program stack, @@ -535,6 +543,9 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing -- 2.21.0.392.gf8f6787159e-goog