Received: by 10.223.164.202 with SMTP id h10csp455209wrb; Thu, 9 Nov 2017 08:53:17 -0800 (PST) X-Google-Smtp-Source: ABhQp+QGOW3NrC2ovKn7Y8jPjK9Dga4ElSIb9+hlRq/3YqJkBjpwejLl6afxPLV13GP3Bhe7ui4W X-Received: by 10.159.207.143 with SMTP id z15mr987711plo.159.1510246397175; Thu, 09 Nov 2017 08:53:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510246397; cv=none; d=google.com; s=arc-20160816; b=MzXS5UVZ/wjBllknxOcSw/pCOKsY2gTlpNwCMJA31gKZi9RXU0X+KBHUo3R4txIm6+ OA6RnGQaKIQ8IopjhYc1nYiPHWmNMNCv4Ei6DVRuJPsnVkPkPFi5yRDEUB4+lI8Q33wO 1lulXmOZ51XpCzfjNbO95yacDN9bbZ6PZmBfsLDsjD+NQpFqGCAA3jqYM8zU09JYDNn8 hWX5LSEYvKIHMyFzHM/piSeX1w6Pajjigv2yGC6H8Jl1G7QOJ38/+OfKM4XJ5HOCX41J 8aPXNypCFe+aKyPX56MSDYeMlJp9WazQr/vm5VBPMY1M6RDka42+LuKoXJmYyiob8Hmz bq0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:from:organization :arc-authentication-results; bh=Pl2zFliIJ6JB4ixiw48QzXSBlEtDmTJEg1vHneNUUiM=; b=gTZ9qyarUwB4f+9Oi6SVmlAug7Czq/q6cSCle+1f2AMsefMDWRB8YdlRns0xpFONJe 1aZ9vTDKohzlNWlPmQI0V33+vFSARcgn2a0dQUzV2t31xBK86EhG1W60xOE5wy/W+rPr Z8reO1glz1G4RdpOwq5lPiyYjUzywQFGtMye/2d39iIpRAQOAJNQdNSNDTDd1wlkVXnF 3f1chhyXjIlBpNYlZLEIdYEVz+8rv9q5W9HTQMxjGdf9DsZzhEaRCuFMjDXwa45Dv8MJ Wm0KMiOLJrGVCN9xvPGFrXJNGeCGsv7SiGwZ1zwTnguAw1eq+UyDP3b7POWV4Aq8lE4y QEcQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p18si6820414pge.204.2017.11.09.08.53.05; Thu, 09 Nov 2017 08:53:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753957AbdKIQwK convert rfc822-to-8bit (ORCPT + 81 others); Thu, 9 Nov 2017 11:52:10 -0500 Received: from mx1.redhat.com ([209.132.183.28]:16888 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753785AbdKIQwI (ORCPT ); Thu, 9 Nov 2017 11:52:08 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 74BC9C058ED4; Thu, 9 Nov 2017 16:52:08 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-14.rdu2.redhat.com [10.10.121.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id C468A6C41E; Thu, 9 Nov 2017 16:52:06 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells To: ananth@linux.vnet.ibm.com cc: dhowells@redhat.com, alexei.starovoitov@gmail.com, Anil S Keshavamurthy , "David S. Miller" , Masami Hiramatsu , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC][PATCH] Lock down kprobes MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <11785.1510246325.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Thu, 09 Nov 2017 16:52:05 +0000 Message-ID: <11786.1510246325@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 09 Nov 2017 16:52:08 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I need to lock down kprobes under secure boot conditions as part of the patch series that can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down Can you tell me that if the attached patch is sufficient to the cause? Thanks, David --- commit ffb3484d6e0f1d625f8e84a6a19c139a28a52499 Author: David Howells Date: Wed Nov 8 16:14:12 2017 +0000 Lock down kprobes Disallow the creation of kprobes when the kernel is locked down by preventing their registration. This prevents kprobes from being used to access kernel memory, either to make modifications or to steal crypto data. Reported-by: Alexei Starovoitov Signed-off-by: David Howells diff --git a/kernel/kprobes.c b/kernel/kprobes.c index a1606a4224e1..f06023b0936c 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1530,6 +1530,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes")) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr)) From 1583607638041240280@xxx Thu Nov 09 16:45:31 +0000 2017 X-GM-THRID: 1583515606617523183 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread