Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2905065ybd; Mon, 24 Jun 2019 15:06:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqxMOsa+4hQJKqAyHzJxE8Xf4X10ql4eI0oZ1QaQijGzzBIcwdNZnfFTweGLtEeTIsDaGQXG X-Received: by 2002:a63:de50:: with SMTP id y16mr18745878pgi.431.1561413994587; Mon, 24 Jun 2019 15:06:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561413994; cv=none; d=google.com; s=arc-20160816; b=DpZZ8NDQUR+jRWfvDsdBt42i4CSs1HtEU9CG5BQtJswV3Vlvip+dpbY2g6+khllUNK HCDNbRmrPYKesFlRs4mpMw7fgXByh98gMtOQPtDZ1HFojcoBf4222kyI99ugN9M9Zw4G I9nhOr4mkMYERnzoCdnT/CV0tawjxKZ6i8GBEGvcTwZODO5AhJv8Vl5UVOLVB4UB9PG5 CO/4aASnjBgAjdKenY0qHU3EtfjctFUGcL0GMiv6fxzie0qaon1NK/+ITiaziT2bw+I/ hhE5PCf7bCTF7spG71gMO2JwgE6L6/5e501+mhVJZVEyJ3w/GAUsiBpk0MZQwvvGBSvr li8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=X1crQPJTAtGM5uUHM8HI5Md6CDkFNGlZyxi3sPcH+qY=; b=1GjCjOnHi6EqIuIuoFKmbGTYaItcdcIKd0bcNexUXI6iexwKvygv1GWpC9hfV7FBHp OF36+CJU5ZyGrgpjhQ4WHw8koSkSeeYvOMlS7DEcsgX4xkM1eDftDze7Mvzy4MZeEGCm VgqOR2Gc4LAbaArBPWiZNzSnb7KNBx6fFQy+/A/0HDDLjhxmetsD9XHH/gcfIf1QwnhP E+wObfHwSucT+isM2iEpS0yXTFwtu86QuH/FM3Ro+etbJI90tcbm0AjlGJeXiAItuIwH AnvT9QIUbSnzY0mq31oYhMLNOUg14lb7ADP9B9PXFfljYK84gPIX5sjwOIXHxc5/GrRg JnEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="GV/T5Ga4"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f69si648337pjg.43.2019.06.24.15.06.19; Mon, 24 Jun 2019 15:06:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="GV/T5Ga4"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728448AbfFXVa7 (ORCPT + 99 others); Mon, 24 Jun 2019 17:30:59 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:41099 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728414AbfFXVa6 (ORCPT ); Mon, 24 Jun 2019 17:30:58 -0400 Received: by mail-io1-f65.google.com with SMTP id w25so4878334ioc.8 for ; Mon, 24 Jun 2019 14:30:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=X1crQPJTAtGM5uUHM8HI5Md6CDkFNGlZyxi3sPcH+qY=; b=GV/T5Ga4ZWk+3W3tqaFce2Ne2RQBxrSLyrhdSzfTB7LlQz8v8cPfHUnL0gw97i2ytW U4a+Nfv1evzoydxm7+aE0QEItVbBUUIJG/3U7ZVO97sH5R/GBfQ/sK+TpOvu118vpAVE 5Ebmq730K8DfY367AGv9eK+RcSiWu/TKO7xNIlIMr46k+uacGMr0RWHh9AkvQlBwPQz/ 3dK8NiOrmCOZBOFRnBLzpc7otO4y3P98/1Bzu4aZ7JDhtZf7jNuJnBC8VOF1BZHvZufo L+R4LgK/I5cGCdrR41cI4yo5nDHrqGqdldJiFjF0OI44NEPptk1A10JIl1ioUUvMRyJx zBBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X1crQPJTAtGM5uUHM8HI5Md6CDkFNGlZyxi3sPcH+qY=; b=Tg8I/dA8xbI61IQI0JRn9ltbZdmzMum/rGjZqjMghUF9zvJB18x3uC4K3Pa+/ih029 C7HFaAinrBMQn28qkv+SIviPYS3g0noYtwxjOSYAE2m7FszhXvh60L1soCauvPGixiZi qsps5bRguKFS+I8bzbjocJpK1FON9LhtA9ATnNHoIx6XZZQuIuwpDRxHtbKh4otLdev/ MgT+9XuoVYXk1Bh2uC2faQXcJh0blH8CYh5ZOLDqxgyhZPrAmoWOX/Cf6pBERdIybAzM tLO0f8Frzv6iSmdx5YHKi+TW7z1n11+XTn9qbagS7WohB8y7oyTz/F5m/VIwxvwYyNMA eNyg== X-Gm-Message-State: APjAAAXxZ+IABSWrBhFbEcITjvjKxi01KY2CUXG71QBvImUcQ8jOxG+O D0yGiwObuUeyoBQ8lXiRx1x0U2y5hmZ4jT0/7u0HfQ== X-Received: by 2002:a6b:f114:: with SMTP id e20mr39401495iog.169.1561411857221; Mon, 24 Jun 2019 14:30:57 -0700 (PDT) MIME-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> <20190622000358.19895-24-matthewgarrett@google.com> <739e21b5-9559-d588-3542-bf0bc81de1b2@iogearbox.net> <7f36edf7-3120-975e-b643-3c0fa470bafd@iogearbox.net> In-Reply-To: <7f36edf7-3120-975e-b643-3c0fa470bafd@iogearbox.net> From: Matthew Garrett Date: Mon, 24 Jun 2019 14:30:46 -0700 Message-ID: Subject: Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode To: Daniel Borkmann Cc: Andy Lutomirski , James Morris , LSM List , Linux Kernel Mailing List , Linux API , David Howells , Alexei Starovoitov , Network Development , Chun-Yi Lee , Jann Horn , bpf@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 24, 2019 at 2:22 PM Daniel Borkmann wrote: > Agree, for example, bpf_probe_write_user() can never write into > kernel memory (only user one). Just thinking out loud, wouldn't it > be cleaner and more generic to perform this check at the actual function > which performs the kernel memory without faulting? All three of these > are in mm/maccess.c, and the very few occasions that override the > probe_kernel_read symbol are calling eventually into __probe_kernel_read(), > so this would catch all of them wrt lockdown restrictions. Otherwise > you'd need to keep tracking every bit of new code being merged that > calls into one of these, no? That way you only need to do it once like > below and are guaranteed that the check catches these in future as well. Not all paths into probe_kernel_read/write are from entry points that need to be locked down (eg, as far as I can tell ftrace can't leak anything interesting here).