Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2700955ybi; Thu, 18 Jul 2019 12:46:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqyFuRfY/VM8Wc6ofCJkwuOcA5UQJI745G2vWA2NKmQ2+hZ1kmi7+35zSCMrEb+PhYY+eJVb X-Received: by 2002:a17:902:76c7:: with SMTP id j7mr50192690plt.247.1563479205506; Thu, 18 Jul 2019 12:46:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563479205; cv=none; d=google.com; s=arc-20160816; b=H8wBt4P0fFm43KJdPuMCieaWWsfrIiXPQUaLS+RK26D60fR0+zuFufHxZhDbeWl3IN Kz6Lhrx0Wq8bRyAjmwSyZ/Pc1EP0lJHk079jCTZrOU9PRe/d5hYNagWBZmPX7Fo42IR4 6TOdUztSNnQgJm7JgEzcwqqb2zw6xBEfWjcymk1bfxClDnkC7NbaQSVmom9jpW4Ey8Q8 2oKGREvP5dESrZwNy+SMevATyFe1Dpu0OMu8oKatFJNoAt8IYeTGpjt1OAPmi1Rieckj 9FrbBLf7DfFfmml3p9oKFwvaChzG+pSA1JpN+yiooZAfpsmzDEXUxcM57qkVpS6Psa90 DdnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=ir52NoHfEVr1DjuDuM2cD1YNKYnnMxmS3VGJXLDOV4g=; b=avS+oteqXLJl94/d8BP6mltks1L1Lc5jZb56CzfE6K4H5avshxk+x6VfqY8jQn7MZ5 mg6QNYv3eJI6vEZmL6zsjh51j1C9kT56fdRR+OCLrFFJwJKY56zBs+s5lxZInn0vXGjb HTt2HfnI3NaqTMNS6uNtcTydCRxnH4wkYVjzOHP7Aw1KClS0Mf7RgqfGWSYN5pj7DmR9 DE95fQKaAqCzfo40XCAEF3rgbx+I772KmSe6EcNixyzCyJNcqZoNU0HHJL0H/xzxF6+P FXAssjoeuGlDY7aS4j7BSmbTjmtrXBKe634eIEPx/w4toKSjsve/0MhvnOC5VgErvqCn ZeAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ef0RDKPA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q3si1284965pgs.576.2019.07.18.12.46.29; Thu, 18 Jul 2019 12:46:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ef0RDKPA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404043AbfGRTpT (ORCPT + 99 others); Thu, 18 Jul 2019 15:45:19 -0400 Received: from mail-vk1-f201.google.com ([209.85.221.201]:33577 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404023AbfGRTpQ (ORCPT ); Thu, 18 Jul 2019 15:45:16 -0400 Received: by mail-vk1-f201.google.com with SMTP id l80so13043641vkl.0 for ; Thu, 18 Jul 2019 12:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=ir52NoHfEVr1DjuDuM2cD1YNKYnnMxmS3VGJXLDOV4g=; b=ef0RDKPA6T0RAn9J0sqYw8XkCSknEd2hcD11i6wHXfcPPIvp+kHcQuTKGy6w00SqR+ z9qQt1r4ANYYmWGXYb/zrIS51+rehEPvjiBD8BsoRc85GIJA/5XJ8rEoVbUOvaBsreO5 HyTRleR4vHF/0EKKO7RFGIPxbQT/JxOkuD6jn36TRWyw+aYsuC1hsbY+/ppIQdpCX+7A Sfp97RVIiaitFBHQlbGKZSmJZtsEr2sLie57ZFO9QPxGd7zWTrYiRIKdliEF+0OBm2No qMqVObVBnwecjTSPSJIRrBbq1BHDSIdLi5ITH5lvt+W8FLpJ59I85l/CGi6W3/EFNHxo ypnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=ir52NoHfEVr1DjuDuM2cD1YNKYnnMxmS3VGJXLDOV4g=; b=rmirAXCp93ALXg+YNUUpkyUSoUmiXkprlFA++To/eI2ZWzeJOZqDEO2cWtuffVn3+U UlUmjbx/YeT7e+zf+4RFcSP3tCejQW0q7wOl0rFC/67PIOhqReO+FRGNssbzjIDzEEas 3OWf6CtmuGhdXyqc/aQ4lZO8W988V1jeKIJHF7P8mV5FD5tpAAvZaCpBk2jYgTxhVfE1 mEdwN836GfPqIiF/hVXdaHy0cmncN26wlRB5ted/wTsM9R96TZv9J+toQ4iocOIGBdeH m1+D8SxLATgnfxu/+OvZIfWkuGgT3khb7BqfkZCk4jpFQ7cppKv+KdnljBpp+VfWh2nB GYfQ== X-Gm-Message-State: APjAAAV5RMSHVMlXBTwaA4n+bHtGRcg40/clPb0o7IoSayJFeuXRk+v7 QqtIoTjXs4DFiCUzEsPPEhvbN1mSDh9Y64HF/3zuZA== X-Received: by 2002:ab0:2442:: with SMTP id g2mr11684721uan.47.1563479115556; Thu, 18 Jul 2019 12:45:15 -0700 (PDT) Date: Thu, 18 Jul 2019 12:44:08 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index f0cffd0977d3..987d8427f091 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 7d736248a070..fcb28b0702b2 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index c050b82c7f9f..6b123cbf3748 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.510.g264f2c817a-goog