Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3354933ybl; Mon, 19 Aug 2019 17:21:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqyahZV0MrAznAm+EK24UOlE/grStrXKfd4LMD6SZj+Q6kO7dzO3AwK5dJ4FowCA/bsEBSKc X-Received: by 2002:aa7:80d7:: with SMTP id a23mr16556087pfn.208.1566260505685; Mon, 19 Aug 2019 17:21:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566260505; cv=none; d=google.com; s=arc-20160816; b=tqMGurUXB196NgaXJNAw6jU8i0PDjo7qKP328e0bXFdmC5qTm/a4sMrt/LtoUkLX5Z 2aDIgbYB/MJsJeovbDc3EWhnNPCvViaMv3GmUhq+6eyWvzOTqIkzwK7XLZXCoZjWxAOc bkarLIrhLNk3WfLIDtDPLsEfnzWcJXEofvFzTz6NBQuyYhwHtMVnVgCKutRCgdbVdtkE GuNn2RDAFZpa4Hj57edw9LPZKzElVZondkHyGeIGSG8078FZAP78BRV4o2E3huXAao0V VNUndL6zHH0azE2F9p9LqUpi1LXZcXVPzE4nU/w+mTQnyEUiHJRk5llJmYCmD4ylU6YS 7sYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=Xx9Xy1LVHNW0tgTSSnVwIoZL9BHfKDcopwVECPb1wsc=; b=KABbgybvDvm6F9d7cZwcRkmctW3nPyL7Gth/OJgX+Fq+/BP+E377Tgyg2BCht490GE 6uBsIDhxrboZiFDaFyADxA8DPEyvkToT7q9MY3TLaFsr3T4hxYVyRPT3HhjXiaBli8rK DgKg1rQ/XJMQrnMC8EM6hJnxL9rE27Kl0sCKy6ywOW244GWWzWV/menVJoEOZuN75Bey oqaYkW5WF75bPCfYSXzg5eWLb8155lmEfrftneVqSdgiSML1uGDNL0aMUNcMbN+Co1CL wItlnqPW2w0gGs7AdKnZNCPgn/wM+DyJZjaNZCLsu+euBOZAoKZuesrlXYFHVVpM9Dxb k/vA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="F/yPzpVt"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t3si6934198pjw.105.2019.08.19.17.21.31; Mon, 19 Aug 2019 17:21:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="F/yPzpVt"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729154AbfHTATJ (ORCPT + 99 others); Mon, 19 Aug 2019 20:19:09 -0400 Received: from mail-vk1-f201.google.com ([209.85.221.201]:37469 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729142AbfHTATI (ORCPT ); Mon, 19 Aug 2019 20:19:08 -0400 Received: by mail-vk1-f201.google.com with SMTP id v135so2386455vke.4 for ; Mon, 19 Aug 2019 17:19:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Xx9Xy1LVHNW0tgTSSnVwIoZL9BHfKDcopwVECPb1wsc=; b=F/yPzpVt2wy+/RI8gQkTjcBM7pMdfOqXRs/Rcx+HXbPreTgnQ44pNYo0mDGDUxvGEX bEWLJ9FU/qcn5HXlisW13gVjagvurjM7pXRJDLFO3k0QBYCIGITFcWsSSLhvoSXZhZ4v zf/nuuJTriWiZ1FX8j5uaG8iyW6Tq8BCyiQrxilehohXoQjUKJTcI7b92Q+sV+IRM3eb gsu02kbge5xj064n08ySG2E0hadOem6mN26HMordi9Z3QSRdBgmpiSuP/uu7ZDxdm5pm /ex9tUgx95/DmzWh00bg/8OYGi0Y5GIbzkzb0djk5Qvro5V/+6OpxnvCdu8sR6WlEcQD z62Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Xx9Xy1LVHNW0tgTSSnVwIoZL9BHfKDcopwVECPb1wsc=; b=trBA8e0XHYQb3TR3n/hN+9Us+dm+xXsW7sWUaevXI449h41JGo09sDi9EFSEknijOR lQqXsdXOrdq5r+e3HQ8c2E0RE8HmmLXlOen1S9UlQVWV6IE6MWBCnQz5XODnIjYTFAbd AhxM+FnwEy275p6yv+76L9wJtK2MhGZ0nbkwK+S6+15OH0jWMXRoqGS7PcJW7Dg3p8k+ yvkR8rcI3sR3bTX6XEzUmMIpH+K9y8ce+zQYY2QDwXsYvniUkslcncszM+Lt9jvu2qJR pfVeVa82bSytXlm52XUpagMtf5dftCP867rzGBTPHdP2S2V12SRUYilhehpOmtM4b7hm qzew== X-Gm-Message-State: APjAAAWs5oL08nNkEF2fv8anpK/a0S3c6zzJOD0fx3RVFZLDp4VjTV9U WWmayaSXQbKq0dx5oeC32InKVnq+suDcg4vxsucyAg== X-Received: by 2002:ab0:67d6:: with SMTP id w22mr15722265uar.68.1566260347590; Mon, 19 Aug 2019 17:19:07 -0700 (PDT) Date: Mon, 19 Aug 2019 17:17:58 -0700 In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com> Message-Id: <20190820001805.241928-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190820001805.241928-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.23.0.rc1.153.gdeed80330f-goog Subject: [PATCH V40 22/29] lockdown: Lock down tracing and perf kprobes when in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, David Howells , Alexei Starovoitov , Matthew Garrett , Masami Hiramatsu , Kees Cook , "Naveen N . Rao" , Anil S Keshavamurthy , davem@davemloft.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells Disallow the creation of perf and ftrace kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data, but continues to allow the use of kprobes from signed modules. Reported-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Masami Hiramatsu Reviewed-by: Kees Cook Cc: Naveen N. Rao Cc: Anil S Keshavamurthy Cc: davem@davemloft.net Cc: Masami Hiramatsu Signed-off-by: James Morris --- include/linux/security.h | 1 + kernel/trace/trace_kprobe.c | 5 +++++ security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 669e8de5299d..0b2529dbf0f4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -117,6 +117,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, + LOCKDOWN_KPROBES, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index 7d736248a070..fcb28b0702b2 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "trace_dynevent.h" #include "trace_kprobe_selftest.h" @@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk) { int i, ret; + ret = security_locked_down(LOCKDOWN_KPROBES); + if (ret) + return ret; + if (trace_probe_is_registered(&tk->tp)) return -EINVAL; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 403b30357f75..27b2cf51e443 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", + [LOCKDOWN_KPROBES] = "use of kprobes", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.23.0.rc1.153.gdeed80330f-goog