Received: by 10.223.164.202 with SMTP id h10csp364797wrb;
        Thu, 9 Nov 2017 07:32:18 -0800 (PST)
X-Google-Smtp-Source: ABhQp+SckkZ7ZBeaTuqcfFHc6P7KOaiSIQdWPMcSUXTimksP1w+ZdWXyaSdpyjnAjvwoJ4q5YElH
X-Received: by 10.99.110.6 with SMTP id j6mr856132pgc.246.1510241538244;
        Thu, 09 Nov 2017 07:32:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510241538; cv=none;
        d=google.com; s=arc-20160816;
        b=E1VwM+prBqApo/E0EoFuqtAqQDWwyaR9ZMOPijfSmvU879hf14sMVjp4MikFw6fELr
         m8Xwj8vBx8AeQbfvXIwmJ8XbxNJK0Wyn5PdOx+Kst7PSMEDh++BWsfSFvwcJGkBcFL1r
         XiA32KhmZbP8UgwIFfDqnuFIlFxu7dWllXE3SvkeIAHFz4kXpXp0Y5OBa0GPp2Y/nU/J
         EIF+tXtAmLSsj5ojr2SXzbUuPVJ78UfXw6jWvzkXLB52tZdx/PpseVQVVzlAIiuIi1ZT
         aBJlRQaZ8QJyl2v05J74ycQUj22m8C/gc+FRKOjswHSMNDoB7kMi/y/7nl4uyHSbfwia
         FPlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:content-id:mime-version
         :subject:cc:to:references:in-reply-to:from:organization
         :arc-authentication-results;
        bh=agl7R1TNuvM2eeIJ5LZqwYpc8clBunNdV1xON1z4EO4=;
        b=r2M2jWtiWKxMAo3YLMTt2YJK7rIUDibvZzUTyFnJFDwjEQ7dRqRh3nGLJVaMsPfZCg
         K8e0FomHbhsY2zFyRfnGLbMGznrXz68+rf0rVO1EPTJIKMhPnXuR9qU7OWV/ryWREW6n
         K/lZfIp4cUWL+n3L7assbw/ZX7VJ836bkgK7MlI8Z1HA60+oFwbUc3rWp03yxILvVaT5
         h80FNNvK2k3wf7ys8XjikZAdeM7XXWva/EIYNo+L13747Qnl/4G24gokF9wmbdlMxb5E
         0z+APXAd+GpoxMPUevdghSG1DsSkgcVj3y3Stu7Ki+qTRjwENon9KCvrhQA2WfVG2mNL
         Ca4Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m25si6626829pgn.588.2017.11.09.07.32.06;
        Thu, 09 Nov 2017 07:32:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752738AbdKIPbO (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 80 others); Thu, 9 Nov 2017 10:31:14 -0500
Received: from mx1.redhat.com ([209.132.183.28]:34382 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751348AbdKIPbN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Nov 2017 10:31:13 -0500
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 0EBBCC04B928;
        Thu,  9 Nov 2017 15:31:13 +0000 (UTC)
Received: from warthog.procyon.org.uk (ovpn-121-14.rdu2.redhat.com [10.10.121.14])
        by smtp.corp.redhat.com (Postfix) with ESMTP id B4AE66BF95;
        Thu,  9 Nov 2017 15:31:11 +0000 (UTC)
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From:   David Howells <dhowells@redhat.com>
In-Reply-To: <20171108163148.GA8882@in.ibm.com>
References: <20171108163148.GA8882@in.ibm.com> <14323.1510158093@warthog.procyon.org.uk>
To:     ananth@linux.vnet.ibm.com
Cc:     dhowells@redhat.com,
        Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>,
        "David S. Miller" <davem@davemloft.net>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH] Lock down kprobes
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <26978.1510241470.1@warthog.procyon.org.uk>
Date:   Thu, 09 Nov 2017 15:31:10 +0000
Message-ID: <26979.1510241470@warthog.procyon.org.uk>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 09 Nov 2017 15:31:13 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

So this?

Thanks,
David
---
commit b5bb759d5e7f99c357b82b8066a9106b817de965
Author: David Howells <dhowells@redhat.com>
Date:   Wed Nov 8 16:14:12 2017 +0000

    Lock down kprobes
    
    Disallow the creation of kprobes when the kernel is locked down by
    preventing their registration.
    
    Signed-off-by: David Howells <dhowells@redhat.com>

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index a1606a4224e1..f06023b0936c 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1530,6 +1530,9 @@ int register_kprobe(struct kprobe *p)
 	struct module *probed_mod;
 	kprobe_opcode_t *addr;
 
+	if (kernel_is_locked_down("Use of kprobes"))
+		return -EPERM;
+
 	/* Adjust probe address from symbol */
 	addr = kprobe_addr(p);
 	if (IS_ERR(addr))

From 1583516251548433154@xxx Wed Nov 08 16:32:58 +0000 2017
X-GM-THRID: 1583515606617523183
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread