Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp253944ybi; Thu, 20 Jun 2019 22:22:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqwiZ62ocrpWNwsoUXW1/yTW9c6Onqf9T/iBg9mcB/lrIKY2JRTCobPFwotWQY9wamcf507l X-Received: by 2002:a63:dc50:: with SMTP id f16mr16662578pgj.447.1561094576955; Thu, 20 Jun 2019 22:22:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561094576; cv=none; d=google.com; s=arc-20160816; b=dVyAZ/rnhK9hbWc0tSfsBBDfqiJy0Ebzys0w+C7NfVnn2KfMSlOVjgRrapL8XiYb9j HmnRWL5XC1ZxJbUA4nPolrk+2wjm8Ct4kD3XVov0l2nEUotwo6rpKYBtqdwK6OJb9nRF iBepKQLyY8yDpNzj1NkjxXdixgSm65DnrFmtA7xjWpSTZG6QtpxZxwCHaCM+Sxrq/f2m TAW4kUnS1rDhSGo12bu//1tgeSCDRMkKKO/hgyWbQscqlTAFGywH4pnmWXAo52AalkIf XILkAQqeKXjnw002d7nRUaVH4qKSnvlHVYV+ngTcytBkOCUd6pwYSbs5t6hxrKn8fQ3U W1Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=kAv4K3o6UIZQEcu1yjIL+txIn6TWKIKuX913qJjrk6M=; b=eL0U1u3x82YFwNI13JB9DElAkDjLuf6ywfDJkxB9G5GLbE49nvMxZsbsVLrbDQ733Q IPzE6KkLlTl5WjGkNSO7H++XIxphDiPruvoi0qQXQRzN4RnoiN5rAfQLBBG7vcRk90PI V+Cip+WqmnolbDC+s1VrEkGf/PrspAXJXv4IXcYPpSW/Amr4BSGhPg4Ld0IpW8EwCPiY ypPhNpOoZTl37sWglWQf0Zg1Ivd508/Yl50lLuA04L0HgjfLVeDY/k6TMcJEvrdnTrcz 9pXFnTJZ9QS91EUvw+GAiJoWIkjIGog+Yx+uI7kl+xjD2RCveAQZzPcLAi33/OpBlvEs cY4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wHAqle4r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z21si1541685pgf.268.2019.06.20.22.22.41; Thu, 20 Jun 2019 22:22:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wHAqle4r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726159AbfFUFWh (ORCPT + 99 others); Fri, 21 Jun 2019 01:22:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:56878 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725956AbfFUFWg (ORCPT ); Fri, 21 Jun 2019 01:22:36 -0400 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 90B7F214AF for ; Fri, 21 Jun 2019 05:22:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561094555; bh=NuBaidFvEBtC7ilPgjpukJjyDzHqtDpAv+g7vUem4L0=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=wHAqle4rYQtIgTUx0PgajIpQgVKMwYiszYWGnbwOGOPg3f8h0SxwonPpfRgqoNfGK xQeM96lmb2OBA0PM5sujPByl7Yu2MDplcbR8vGDNOnHiNd3rwfDyjwpvAMHW6TdhA+ nqRfnXEPGM49QDf+f05/i8KCZ4T3qIfq70U1rkKo= Received: by mail-wr1-f50.google.com with SMTP id n4so3996615wrs.3 for ; Thu, 20 Jun 2019 22:22:35 -0700 (PDT) X-Gm-Message-State: APjAAAXKeVPvo38ZsLC5S3ODkMJCV1b4eCNG2AXOKVcCJ3B5hRMnYcfV s8xkecjQO0WhOb8AZatIZphQoo7syjOQynjiAppO0A== X-Received: by 2002:adf:cc85:: with SMTP id p5mr32554986wrj.47.1561094554094; Thu, 20 Jun 2019 22:22:34 -0700 (PDT) MIME-Version: 1.0 References: <20190621011941.186255-1-matthewgarrett@google.com> <20190621011941.186255-25-matthewgarrett@google.com> In-Reply-To: <20190621011941.186255-25-matthewgarrett@google.com> From: Andy Lutomirski Date: Thu, 20 Jun 2019 22:22:21 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode To: Matthew Garrett Cc: James Morris , linux-security@vger.kernel.org, LKML , Linux API , David Howells , Alexei Starovoitov , Matthew Garrett , Network Development , Chun-Yi Lee , Daniel Borkmann Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 20, 2019 at 6:21 PM Matthew Garrett wrote: > > From: David Howells > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > private keys in kernel memory (e.g. the hibernation image signing key) to > be read by an eBPF program and kernel memory to be altered without > restriction. Disable them if the kernel has been locked down in > confidentiality mode. This patch exemplifies why I don't like this approach: > @@ -97,6 +97,7 @@ enum lockdown_reason { > LOCKDOWN_INTEGRITY_MAX, > LOCKDOWN_KCORE, > LOCKDOWN_KPROBES, > + LOCKDOWN_BPF, > LOCKDOWN_CONFIDENTIALITY_MAX, > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > [LOCKDOWN_KCORE] = "/proc/kcore access", > [LOCKDOWN_KPROBES] = "use of kprobes", > + [LOCKDOWN_BPF] = "use of bpf", > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", The text here says "use of bpf", but what this patch is *really* doing is locking down use of BPF to read kernel memory. If the details change, then every LSM needs to get updated, and we risk breaking user policies that are based on LSMs that offer excessively fine granularity. I'd be more comfortable if the LSM only got to see "confidentiality" or "integrity". --Andy