Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4686169ybi; Mon, 15 Jul 2019 13:02:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqzL6Rj4uXdgYNUI6Iynq08PaG7l046b3iQOICgKFngh2i4bXZrYwcGKScTuk+e3eG01yUJh X-Received: by 2002:a17:90a:a410:: with SMTP id y16mr31508423pjp.62.1563220968473; Mon, 15 Jul 2019 13:02:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563220968; cv=none; d=google.com; s=arc-20160816; b=XQ2Wyb7SS6dZHpSUwNS2n2ammSFlUSrzqiPrG5/Rwmxf7Z5lVHZdHDom0xbqIcEMli MuHkcUAU/OxiU4ds2u/h3V7WQRJ7orgkybO8pg/8M/KeBg5P/dmot3dgj88jmPUeCGSf a37IWl9sYYi6MiSZJwSN2pNkrDmUymhJdOQ/4Zd1GbWh5+2S1i2DF95e7W2XytRPzT4L ihtoW0Ry7zYERpCEzaMLZP2OKNMKrhmrSGIecXTFLbgWRXkDWOMcfs5UDGDjQAj7fAzT 7K0Dc02zs0orrq64QQ++citcX6BomFt/rW19RPTHJ/vqNDbhRBcI7epvi4O7a1pIPMqU bFkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=uhU8rRk9ssWJivLHP7v3OR1+99tdkTFoizPFQKNdwe8=; b=s4p1qRDRI83jlTumzR+H21xz3Eb2onXKcrRLSTkMNyd2U2EUHH4RpofAaG6pLVkdsd B1PNIxut/YVnP+oD/oEQklsIZVY27G6qK/enV7RCBh1IHPop8DW3cbczEFPtNwWrBl4T SgL3DynMa9oLIUUDlWIOzrGFv4I0qrWvomp87LiifdHgqa9XniALanOCGPJ+nnNItByp /e95/FaGL1uzoymdmCjZYlo5bKUPGyYsNhzUx9QMk+1yHdGIdRbSgfGjrvf8liCx2Cw0 +5X2kVRNroh+8e1NFCV8UlR7kXZmo+txKzhnSkTiGXAX03D6M1sXRGSQ9bGhR9t70dZC VC+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JJBIrjjJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n66si16534929pga.263.2019.07.15.13.02.32; Mon, 15 Jul 2019 13:02:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JJBIrjjJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732683AbfGOUA7 (ORCPT + 99 others); Mon, 15 Jul 2019 16:00:59 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:53696 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732618AbfGOUAx (ORCPT ); Mon, 15 Jul 2019 16:00:53 -0400 Received: by mail-qt1-f201.google.com with SMTP id h47so15824212qtc.20 for ; Mon, 15 Jul 2019 13:00:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=uhU8rRk9ssWJivLHP7v3OR1+99tdkTFoizPFQKNdwe8=; b=JJBIrjjJzae8JoufMUY5p2Xzah+XXUlMVPZRSmZOY36Jgo20AhbpPZawkEBT4xt9CI UMnuaCruuSHuXXvqdFZBMtwSvl4t0IqdLAWwTmYA52CfjZGA3E4i8Gfl2ESgAszhKDWH 1oEEltwJN2uPQ3KjZNWNFT+0uMtDU4H1avgCjsBQu3I6RhBh3srjJDwJPD1QLjUhDVdU 8+jctr+k5408YV2PlndTV18NE43rC+ipzp7az2r5gd6dXRRGRlBBoi/2hUPYmZ30+PCU X+MNhgkwY1Y72MueKA0y585tPXunJy8hcgIfBqY/aBrhr2wnBn2wAliTIc0u45bqvkWY qb3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=uhU8rRk9ssWJivLHP7v3OR1+99tdkTFoizPFQKNdwe8=; b=CXi7jvHYpd/nyAuF7WTQcRlgjGZK5AkpFNrL33/SYCr77WqvjxcAS1+I0HpMLQK+R6 69BSffsNXtufhtrNekfMnqf5kKTsZE48yOpNS7wn5ICes/ws9S5cwzvX8Rbv+Sx54M0y 5X/U/QTuBAav88Ljiq+pJgkly5RE4BKoShLSziBYep5Qqb1ybXv0mUkZ/5c+2MRRY/h8 +7yMIY+EMWdPycjNxf/WmuHiv3JutouijBmHrqyG0q8x04fdvZyDQqVyQ9hBfTI05LIo ZYS6mxM4Eaj7pgxlK2hBpnNI6whHHNG0FlEfxGvS0uNGeNEizVHUJ94yNEtODl9z0DaU LjaA== X-Gm-Message-State: APjAAAUB6SvEG/kv8vaL28N1VR08SP+KyM3zHqrsVv+Y8sDstuwLAble hRogBVDaJqdYFUDEjItsgyLtRHaZC2IaPuRjI2RWZw== X-Received: by 2002:ac8:142:: with SMTP id f2mr19678032qtg.336.1563220851847; Mon, 15 Jul 2019 13:00:51 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:39 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index f0cffd0977d3..987d8427f091 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 7d736248a070..fcb28b0702b2 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 9c097240a3a6..ccb3e9a2a47c 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.510.g264f2c817a-goog