Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp83976ybi; Thu, 20 Jun 2019 18:21:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqwNPdIcdYRz558t5wZrosHVmnKOpYwjHV32PXr7ppadvsrx2dq2nJJMWE4HL94p8NftCBvj X-Received: by 2002:a63:490b:: with SMTP id w11mr15481929pga.127.1561080105043; Thu, 20 Jun 2019 18:21:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561080105; cv=none; d=google.com; s=arc-20160816; b=uzyI79SX+i6j0Cr7gQ03YzGyza6+gzaD5ZKFmMwT4S9w4kxxjefInw2+8/F8d86omL 6yjGbBjt8rKH09Dwf00QTxZ3h3ao5MqJ0+Db7JQXxhZLxwfl0MwwSkehV9U5LCn/MNcW A/RY+xV/b469hCFWZspw6cYewVBN4sP5oVBSL1B3oZZdGIpRlKvwTqurJWy+sUHBBcnl Hs8oBSSkBmPHG2mfEscK3BILFIDox7d6yxfQx9I2qhrnxdplVsmg1U/HHsNco8zi4+Yk wBKnW/UFZJQ8dpfrJVoCY0LbbgLmwf05H4WzwS4pG9/yTs1BB17mHzQne9bn3H8x+PBc tHgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=rwC++06a7emXTczyYuhqKwwtVamKbzjmP5eAmmQf+uI=; b=n1wtqNbD9HuQXZTblAbk6nhdGQQK4OzpfeqaP4XGDIgmCZwLtjhrecwVvFMma1NGW+ xcF5SE2pK045IVLv0DRdt+NnZRJvTgapitIsYOalcdeU/XjYV8oPhl4lW0kwVJJGkDXz Q8fCKQvhJfGG+lwc2Hayrg0xQKwnaLLzZDF8wn2tSrpF6lHQd5Y1ikOmxmg9QFAhRGHq 5Vgyyq9NcsTO7ej/By+aZonsHlwBa83M9EiK2coaWOg29ZqIS99oLPkxUM36bcx/U9q1 luGgpFdzu9KsSYQj8ZUhZzfWE8HfbPk6toLXrYbxuFZq9OgtfAYAoVpGRc/lNK51R4xh vSvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qneJRbjW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v33si1111629pgk.152.2019.06.20.18.21.27; Thu, 20 Jun 2019 18:21:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qneJRbjW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726884AbfFUBU5 (ORCPT + 99 others); Thu, 20 Jun 2019 21:20:57 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:41288 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726809AbfFUBUq (ORCPT ); Thu, 20 Jun 2019 21:20:46 -0400 Received: by mail-qk1-f202.google.com with SMTP id o4so5887135qko.8 for ; Thu, 20 Jun 2019 18:20:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=rwC++06a7emXTczyYuhqKwwtVamKbzjmP5eAmmQf+uI=; b=qneJRbjWP0ZWGk0Np6UT3+Qp6gWjbiIxxvE4k42LU/v9AV3EispEPoiMKojKSgfgP3 IDsHyaGL9JhBP3hSvMsBcS6+WA9lWH1SDz1eF3F1qD0g/DYVT9YQQi2/LDhgWUmDy4DH 2Jb0NJtVy+rnWBVEMFzQ3jHOz4eylUaI1FsqdPKv40tJFl0XCjiMrmZWBrX9e62cII4i 8YO590wyVDRsmWdCP+j3By9xhynKx1h2zUuQlRqwWYy/oyrvXhK10BxuOQhdRGmYRCHi CTT74lcfXtIUTtDrratlNy3w9wOHSchivveNBwqMdWuOJbudFsYSF/QWMHZvEO7rMzYF qtfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=rwC++06a7emXTczyYuhqKwwtVamKbzjmP5eAmmQf+uI=; b=SmpKb3awnGZAI3FgX/9oPwIdH1PnweHCAQQ55B6w0mvfxsmrF9QQ+Yw2hZPXLUgOI1 hdLQtazNGQ+TlYjfIJ1Cbi5lwg+KDbhnwsvXGDI0GauncViOu9wjH2qEuP82jRZ0ofcT 37EXtKTl5/tzeP4cL5WekkGLulC78MQZU4I6AMt7y0Oy62dDv6LIif0sHJ3w76UfVS7v fxiztXHLWby21SYgdmAglKImlkNgUbDIGiugA+F9/PDoulR7vLh/JA3RadKxIVdw/5Lj f84Fsv+2AyZM0kZvjilKMkmAFJX/+O7V90U/2dZjKL8YBBllW7IvOCWGluxb3+cmxKvN jL6A== X-Gm-Message-State: APjAAAXJmm2sEVtUIcKqPXyulfiyt9ufieTlkC41GuxGRp7qR6xK2LFF PP2tcjal8PAvYk1CX6ptkwXw9hJz/5ykIvuxWnbO1A== X-Received: by 2002:a37:b843:: with SMTP id i64mr15047820qkf.77.1561080045580; Thu, 20 Jun 2019 18:20:45 -0700 (PDT) Date: Thu, 20 Jun 2019 18:19:34 -0700 In-Reply-To: <20190621011941.186255-1-matthewgarrett@google.com> Message-Id: <20190621011941.186255-24-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190621011941.186255-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V33 23/30] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net, Masami Hiramatsu Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 4 ++++ security/lockdown/lockdown.c | 1 + 3 files changed, 6 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 6752584729e2..dae4aa83352c 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -96,6 +96,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 5d5129b05df7..940ca20987aa 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,9 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + if (security_is_locked_down(LOCKDOWN_KPROBES)) + return -EPERM; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 80ff4a31d8aa..89ad853daec2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog