Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6480786ybi; Wed, 31 Jul 2019 15:23:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqz+bn3HAEhL79CqAzBuKesJsZwt0OWxwXJPv6AgvUAejBCKKlnKPUao+JuFJ7/tbC0E9gdx X-Received: by 2002:a17:902:2de4:: with SMTP id p91mr91758389plb.28.1564611818105; Wed, 31 Jul 2019 15:23:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564611818; cv=none; d=google.com; s=arc-20160816; b=E8FrhKAcn8Hu06qq0JjdZGCmSeJKbIk84oKHSmr6ZAptJGhjCu7xcjsOzhLMZ8nKaX nGI5tXH7l4+eEhW5j91b6E/UdjobUjlv1zLoilnhxRHBgZwowdMWhx3q1PlqMVZc9/07 PdsDKRkFb+xdTKDtJqhefzbEASMt6p9qHiqv7TPHwv4cd6AaeUuFtjvkIrBgR9zB6Nd5 3K07ckiiXWUfskyVPplOplh2rIjKSSDUzrH2a1AktbRRh8RXMJaIcwStMjGfnIyaZYjZ J9A9b/N5SdIze43z/nGjyO/JUk++tYQE0ZjrjHQB+Sukjb86+HhkrSzQ3JfCkTzAo72G 2xrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=0kVk4rBm1ytFj1RvAEUeA/EHMlAT2o37B3F2Ymu68HfllrGz1BtuDApnjHhVB00bkK PZZ6y9G1clWSbFSsOvciA6jWZDgCbp2kzIoPukbRZW98dsPHPpsLtfdTq25KfMBEEze/ 43qX2WKuRP16ytblxNCrzZ8+UZvSilOaHAQH0D8IE3pUfYrzY7J08RMuI9G4HctIlrVN VlLHrm/en5HykxHnDgU6Y+uuU4LMKk582FUr8V0MjkKl+AVPiA5rnJDgYnW5qX3M1Brp sS3cfv+HG1Ab0DJak9c0qVa0EOdy+NN+l7BhdLKR3+JOSMsJI99OIYXm/8GtTwIatd5V GzmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=W9cI3RPf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t35si6891016pgm.8.2019.07.31.15.23.23; Wed, 31 Jul 2019 15:23:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=W9cI3RPf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731374AbfGaWRZ (ORCPT + 99 others); Wed, 31 Jul 2019 18:17:25 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:34852 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731363AbfGaWRX (ORCPT ); Wed, 31 Jul 2019 18:17:23 -0400 Received: by mail-pf1-f202.google.com with SMTP id r142so44142113pfc.2 for ; Wed, 31 Jul 2019 15:17:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=W9cI3RPflL4c24ovch/52afOAvuq1DhLW6d+6JcVypuSEDBi+/161uWz7FOWeu7l4o uuYOAnN5evOgfmJXgdhaUbz2WJptg4yJiMR6Wwye9GuFVZ5Ps5yrdZkg6keJgh9ul0gA k/ByRAD38a/Ih7GV117hNLB0q0GSb29kFiM8p989TjI8wClGYyeKbp9V4iNkueKeEbyo PcmSQDUbYAAcXEWtWMO6R5czWcQ8/y/bPH9coyx4WgrjoiKhBp0/D6Yrod5WE0sy4+Pa 38NNF2OHvq8iNfaw5+k7mRWujpt5sGnyv1dCGMfXJeZddS4XAMRCPd+QFTLcyT1XdYtM px1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=igraVpHIdDmD+5g1ur26IBAwMctPe2n7SZ5uHIDyZnIBqDzkgjIjOIYi6570GA0u4q Sh7ygGFdl8wXcMuS8VPn+zpjAZ7e8bVZdXzo7XW+e1KUJjjYVcuEZPZkdaqDdpF1w8L1 rLRijoLlrBo2Vc2xIDdl5+6VFOaYsaUuOZypLgWTIZBdbm4OIifTPz+Q+ubz+hVuF1zG oBxCptQKhdL4ZbRHs9so2RqO4+hKNWuaLQAvhhZb5QTth04VV6gMiMjr14SW6AyQ22NQ /pez0/M+B9IW9Y+IKkI/tKukWuIgkXoNVLDXjMpQe3g5wMMRpZARvxKdLQkSlUhIFiwn qHGQ== X-Gm-Message-State: APjAAAXAmcSRTZjcoeTxlrz/hp14RC9oLJMEeaCGWeuDnSuMWB+AUbmC MsycY5jtQ3GgqQCfYjZp7pgyNk/I2KZVJGaUpKKO6Q== X-Received: by 2002:a63:b20f:: with SMTP id x15mr6928111pge.453.1564611442370; Wed, 31 Jul 2019 15:17:22 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:10 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index f0cffd0977d3..987d8427f091 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 9d483ad9bb6c..d5fbade68b33 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include /* for COMMAND_LINE_SIZE */ @@ -389,6 +390,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_kprobe_is_registered(tk)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index c050b82c7f9f..6b123cbf3748 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog