Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6089614ybh; Wed, 7 Aug 2019 17:09:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqzCe/HXXEPcRd4Y6aWM8CZO9jvMBIM6SOodwTZTZT8sFSBF6pcKeW8pS4mP/EChQEWX6wv5 X-Received: by 2002:a17:90a:20c6:: with SMTP id f64mr1024577pjg.57.1565222985883; Wed, 07 Aug 2019 17:09:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565222985; cv=none; d=google.com; s=arc-20160816; b=whOgvfN7a3gtD8SZH6snJI6WL98Y2t8arA1aCn6X20JbAmBpqf2MONC99PBhtY44TZ W3fbboNPKZr3CxUCovsxI72d/fJcNsj1iNjppvNDhxmTqRnej7TdHeZRD0IEvPrmkGZk aq4kFX4lthTfAc5gzK4Aw96AVcvRB0Gc9k/jMaJcpQDkmmpjaiUskBiQwwVuX30tjVUE knuvlmvJ8kBtTOw8nEu/DyndjQzI3OXSW/Z0Fx69ha8s/6qHG0bdimcDnX7PzK+6P27N AUd7L92+6BuXLotPFiuDuIADVg07JcgXGkfnBEITw2mDFYe0vzZCL+R98s6FSVXXNIzi lNRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=f6VXgdUXz7H6+ko29TDvA2moLzFm8DV0l2HllVJfuXPRKqnpSkyyZtF0ufNyY1bctV 6LP0vMJm0VVc6PZua82sKvNXM13aRlh3xJDp54XOMBBNRTbyDvUmX7eZTVIz5Mtr3cB4 GUDtDh6ud3j/nB038XGMhEm3hU4QqSIz/YGZS0+D/EiO8X6jvFwhMWB64Jh09pash5HH 7AYRkZ7cB/RuEvg3JsoX3suCESpXaQzrxVjbUph+kkDFUo+Cdxj0S9E+Cvm1t2ZR+IDd tjWic2IDKmt7fSG5zBgrtdYVpMGpvURxUpk9tNwvtCj63545tqwQgs4LMpRr6zYeXhY0 3Leg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="HhBc/gmE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g18si39459101plq.190.2019.08.07.17.09.30; Wed, 07 Aug 2019 17:09:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="HhBc/gmE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389736AbfHHAIY (ORCPT + 99 others); Wed, 7 Aug 2019 20:08:24 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:35263 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389719AbfHHAIW (ORCPT ); Wed, 7 Aug 2019 20:08:22 -0400 Received: by mail-pf1-f201.google.com with SMTP id r142so57761085pfc.2 for ; Wed, 07 Aug 2019 17:08:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=HhBc/gmEGq9rH8H9Yq7YuOCen9MVhHMdBqBOMWU3Q65ZmLrnOZ9UKrPBXABdy6tda3 NnNwaUOFThXg5oOVcQzkAJ/xxxjcN5JMq9CqDUPO2sDMZ8FNR1Q1zkXCBDWpSOUeod0Q vATHT/TvRKsVkPNVnc6tV69fAaYgmR2kBe4v+mgabDqLFDyev2sCdM0qP3NMPu5hYstI MmokyePTXsDro7+ZAfnN/vLnRCReaAzHb3v5fNkdWC9ZqE7L3PblQMPpeQV2oPud/IT1 RtBEAbEWkJG+qXkhdjneV/Jl/vt+s8JsI6FhaqvASmoF0EWkkx+5i/rt8vS60Yx9qLkr igwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=XvMhL8IcfVDNreN9SwFKf8wrtWYtjyv1vRVRyj1buwk=; b=mv0Gxufy6g3qF/GJsHWHlIkj57aE3vWaQ7pvIR1YvsMLHp3EFJqNrnyzQmPvI23c6M HAagEEj2F2hV8oXE7ll8ucKhIP84J1HPsN0nuFDHxnNkRrr1cgCb2NLftvRqlMioLWkN CZCZH+n8HYj2pTDIO9NtcUSWHxXFaGNYMZ1Y5dkFIv8V8PSzHX4Oxd08CmFeGoJAMm5v 4eQJOuOJPWhGeGIdXvBqdCWf0K9AyfHwYt8pnQhYKxjDYun97M8oydGpaD8x/D3WXVfZ H3sTJ7vbCmE79+zQ456JBpnXeizE4klm+SJxYnnM95FLFUHN3B2Mb1MWWvX6vTlmAQ0X QNDg== X-Gm-Message-State: APjAAAUO3GByX5Awq/Q+KcXQUGnS+Ega7FKbtKtxXZLqSAAA4rmfOkId L+IjfmIXbeTKrw3PvY0qequ4ueVrOZJITUnmtmtooA== X-Received: by 2002:a63:c0d:: with SMTP id b13mr9962668pgl.420.1565222901118; Wed, 07 Aug 2019 17:08:21 -0700 (PDT) Date: Wed, 7 Aug 2019 17:07:14 -0700 In-Reply-To: <20190808000721.124691-1-matthewgarrett@google.com> Message-Id: <20190808000721.124691-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190808000721.124691-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V38 22/29] Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index f0cffd0977d3..987d8427f091 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 9d483ad9bb6c..d5fbade68b33 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include /* for COMMAND_LINE_SIZE */ @@ -389,6 +390,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_kprobe_is_registered(tk)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index c050b82c7f9f..6b123cbf3748 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog