Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1238824ybi; Fri, 21 Jun 2019 17:07:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqw71SRbnXcwXfg1dJ6+owFT00CNyYh4JF//atFdLdIHdZLFiKpqX6g6xkIlG03gWeKdcN6p X-Received: by 2002:a17:902:8a87:: with SMTP id p7mr117007175plo.124.1561162025542; Fri, 21 Jun 2019 17:07:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561162025; cv=none; d=google.com; s=arc-20160816; b=QYNA5KxoGs5d7IfZ+UDGqNBN1+pnf6W1Rnl2QQVyoErdoYgI8cb/iHngM54NX884k2 Ml1qFI6rvXGLR5ME8LzzCv+ssTAKfgx3cfDmzBvpq+JuRjmzzo8BnpBOYhMeneI6kibU d2j+x0fIm1WERha9czerrCYrgN7dsKBxDtvSLvV8beX2KhSmWem0A8uhsPkWEblgb9Wr Dv9NWvHKjwGxVQUC8zP6WpOUBwIE7N3Rfc6nfQdnsmmYBia/nSQy3UIzZk6Q90nnqw2b 9YddYwnHFmenAFaalvGhIUCURkJnkboOPkhfK3wbAwXCTtjR7WAaus7qZZLP0xF4uWiX MbMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=vG+Ky1xMciAt56WQw2EjTPdmD541F+3aHNW5aR09cZM=; b=H8KXPRYTY6YBeYQrQhZUdz0QzawiBdsJxaLCSfjmYNOBh2CupF3i7cev9fKdg/InMc UoBab34DT0vGJrNHQ/BWaBYOhhWblu1NpzOC8Wv4W7OqUhHRvR3mK+s7ypB1afhYQVAV AkJXjUVYNdDO18b3iCbcg2LdSXapxCS1S43sDlUfYk/eAeEFiMRZXZuVTZV2fODfQ/63 IDL638IA1Kdu+9yKrqwPW+bdCIv2p8K9cyEFuoEcmrxyL6h+alP+Yjqrl941qH1eqXwv tTCjGYZKIVj5mPay/j8OXs4n60h/tQ0cN0yQxAej4/O7PFBPami0y5o/YwbBMy4L2Vk6 dEBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UL4Qk25h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si3844853plo.223.2019.06.21.17.06.50; Fri, 21 Jun 2019 17:07:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UL4Qk25h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726654AbfFVAGH (ORCPT + 99 others); Fri, 21 Jun 2019 20:06:07 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:52039 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726905AbfFVAE5 (ORCPT ); Fri, 21 Jun 2019 20:04:57 -0400 Received: by mail-pf1-f202.google.com with SMTP id 145so5302271pfv.18 for ; Fri, 21 Jun 2019 17:04:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=vG+Ky1xMciAt56WQw2EjTPdmD541F+3aHNW5aR09cZM=; b=UL4Qk25hc3SNUo5XrSqPPvfC8ObTMPlrZFg4JcxukENDqlnfup3f9RtnrkiwHcxOQy +CX3ihK97Qg38Ne2dRLsC03qRKG63yC8UfLws2djrH8nyLWGoz9EnjOIu7rh8v1Wzyu2 /m5932Iq9XT+iN6P0dpcU6tlmMNrWuQEgFtEdAXz36MufIe2TmZfNtd1Ly1f3GhlLVIF OSk80xD/ELnXzf7ZMFPRQUyPJDpkxWOTnQrNocZhtWH043t2QGiQVvXzAGZB0uyzSd7l nVv1uzBdGuaWozCwN4byv7d/DDbzNdPbmHEM5gcxtro0RsRDzsCA1ioy64MXtW42aBMa GGiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=vG+Ky1xMciAt56WQw2EjTPdmD541F+3aHNW5aR09cZM=; b=GF0eqb99lGqPQbTTHDO3+QDtLEagiYAGSf49WeJ5s3qh1h32y1SB08+T5+0KjNu/JU 4vbuPzYCJu4yeaUpx29GOVOKFqDlfbUwb3lsRhPGfUb00mdg+aF0aNn/spMAewXL9ORy fYt+2wCxSxCxhNDgFHImsu2S+SBExVbuV9YW9ELtdOc4WEiiKwVvLj59unR+yAkfb3pM tHPdu/I77E7AhU0nbpPAtDJ+Ildpubyy1tDEpOLC3Iz2KtDMwJ+CdaZUTZNh1utI6W/v T9KikzgPa9UA+FWsknceNxv/Q4TW3YDuegAJPgb2S8/BV0b6Bgi801rXHOk0lHXTvpKj bZmg== X-Gm-Message-State: APjAAAWa2a8UJ10BHTP9m02fwS6PodRH0gm5661/DcMJO/kbmJqCKttX Iqvoaw47um23nnIiVprgYRrCvZdR6EaUO/+C24WUNw== X-Received: by 2002:a65:50c3:: with SMTP id s3mr20935624pgp.177.1561161897008; Fri, 21 Jun 2019 17:04:57 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:51 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net, Masami Hiramatsu Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 3875f6df2ecc..e6e3e2403474 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -96,6 +96,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 5d5129b05df7..5a76a0f79d48 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 4c9b324dfc55..5a08c17f224d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog