Received: by 10.223.164.202 with SMTP id h10csp1716513wrb; Wed, 8 Nov 2017 08:32:58 -0800 (PST) X-Google-Smtp-Source: ABhQp+QRvrlzprpUPDn0SXfWEo3RhN1GbEZN9/mA8xYcam/vcSqZYSdj1/3J8fXwHzBMD3c7I1C8 X-Received: by 10.98.14.89 with SMTP id w86mr1075727pfi.195.1510158778562; Wed, 08 Nov 2017 08:32:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510158778; cv=none; d=google.com; s=arc-20160816; b=CQMevJ5alfF3mgn9kV/K44KKTKtgArjNS0z1/soXxOzo2mk6hbcGRh0bwJnVMQFNyT cXCygOOApws/lZNakDdexnNNjc6lKT8zCZic5JiUAibu9AJelwSr0WxjPPdkYQaoLlGb YLRubiWlzTZdmYcI0sNp4LnYoA+IVOed7Ra7xzatYWLmTn47+V5PyttiRm0eCJ4AOzwj UWhaY/5jcmt9EnCFag6SAnlCAHf9aD+g+7Jja3JY0IIZOj3vmgA8vom6j7K4o2kUiHvY fObTD4v6mA0+3iUGhD2c3E3WdVoqMnw4CW/0/H7mA+03T4SLMzFlWBVibY57FT0ewJF2 blBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:subject:cc:to :from:date:arc-authentication-results; bh=fkmQSmm9V5htxyUTkumQL6iI1i9ycnB/yZhggNOQ4jY=; b=h7AcRwrrwgLH0eQoZIdJTsHK4JvYtB8koxZuT9TZ8j6+T1vUBxzU2RnKEwGdRxqpWV LoVJ0RPTxSQoCzWvRLa03O1tjTMKZh2K1IDEKglVGOxa1zLNfR67CVXj9flhcPcwqQpM 6SNO5rQvokLNPmUhEsAX6XHj1jtXhTsOo67XoNIHSosICVQWZ4QZ8HSl1JwrAe8wm30K /zMtMpqCTrkVoqjCTa+vG9KWWJQ+5rJeBqUlt/l7JpYG+FYK/HZH7r9ZPq4cveN3FMTw Y2XjEnZindI3jD3rzMZMAp+6eC+27TuwK9CkHi3vonzTa3SCrqOdtwnzKMIfJS29JmFR 4/8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si4100913ply.756.2017.11.08.08.32.46; Wed, 08 Nov 2017 08:32:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752702AbdKHQcG (ORCPT + 83 others); Wed, 8 Nov 2017 11:32:06 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:41934 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752260AbdKHQcF (ORCPT ); Wed, 8 Nov 2017 11:32:05 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vA8GU26f015634 for ; Wed, 8 Nov 2017 11:32:04 -0500 Received: from e18.ny.us.ibm.com (e18.ny.us.ibm.com [129.33.205.208]) by mx0a-001b2d01.pphosted.com with ESMTP id 2e45b7s00a-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 08 Nov 2017 11:32:03 -0500 Received: from localhost by e18.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 8 Nov 2017 11:31:59 -0500 Received: from b01cxnp23033.gho.pok.ibm.com (9.57.198.28) by e18.ny.us.ibm.com (146.89.104.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 8 Nov 2017 11:31:58 -0500 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id vA8GVvBX51511404; Wed, 8 Nov 2017 16:31:57 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3A40312403F; Wed, 8 Nov 2017 11:29:03 -0500 (EST) Received: from thinktux.localdomain (unknown [9.85.136.53]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP id 8DCF9124035; Wed, 8 Nov 2017 11:29:02 -0500 (EST) Received: by thinktux.localdomain (Postfix, from userid 1000) id 2B8A510323F; Wed, 8 Nov 2017 22:01:48 +0530 (IST) Date: Wed, 8 Nov 2017 22:01:48 +0530 From: Ananth N Mavinakayanahalli To: David Howells Cc: Anil S Keshavamurthy , "David S. Miller" , Masami Hiramatsu , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [RFC][PATCH] Lock down kprobes Reply-To: ananth@linux.vnet.ibm.com References: <14323.1510158093@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <14323.1510158093@warthog.procyon.org.uk> User-Agent: Mutt/1.9.1 (2017-09-22) X-TM-AS-GCONF: 00 x-cbid: 17110816-0044-0000-0000-000003AC3B9C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008032; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000239; SDB=6.00942973; UDB=6.00475721; IPR=6.00723260; BA=6.00005679; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00017913; XFM=3.00000015; UTC=2017-11-08 16:31:59 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17110816-0045-0000-0000-000007DB5512 Message-Id: <20171108163148.GA8882@in.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-08_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1711080220 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 08, 2017 at 04:21:33PM +0000, David Howells wrote: > Hi, > > I need to lock down kprobes under secure boot conditions as part of the patch > series that can be found here: > > https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down > > Can you tell me that if the attached patch is sufficient to the cause? This will not prevent the raw kprobe events from working. If your intention is to prevent *any* kprobe registration, the best place to do that is in register_kprobe() in kernel/probes.c Ananth From 1583515606617523183@xxx Wed Nov 08 16:22:43 +0000 2017 X-GM-THRID: 1583515606617523183 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread