| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Apr 2018 18:23:28 +0200
From: Jann Horn <jannh@...gle.com>
To: David Howells <dhowells@...hat.com>,
Alexei Starovoitov <ast@...nel.org>
Cc: Andy Lutomirski <luto@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Theodore Y. Ts'o" <tytso@....edu>,
Matthew Garrett <mjg59@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
James Morris <jmorris@...ei.org>,
Alan Cox <gnomes@...rguk.ukuu.org.uk>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Justin Forbes <jforbes@...hat.com>,
linux-man <linux-man@...r.kernel.org>, joeyli <jlee@...e.com>,
LSM List <linux-security-module@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
Kees Cook <keescook@...omium.org>,
linux-efi <linux-efi@...r.kernel.org>
Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot)
+ast@...nel.org
On Wed, Apr 4, 2018 at 6:17 PM, David Howells <dhowells@...hat.com> wrote:
> Andy Lutomirski <luto@...nel.org> wrote:
[...]
>> 3. All the bpf and tracing stuf, etc, gets changed so it only takes
>> effect when LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY is set.
>
> Uh, no. bpf, for example, can be used to modify kernel memory.
I'm pretty sure bpf isn't supposed to be able to modify arbitrary
kernel memory. AFAIU if you can use BPF to write to arbitrary kernel
memory, that's a bug; with CAP_SYS_ADMIN, you can read from userspace,
write to userspace, and read from kernelspace, but you shouldn't be
able to write to kernelspace.
Powered by blists - more mailing lists