[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190621011941.186255-24-matthewgarrett@google.com>
Date: Thu, 20 Jun 2019 18:19:34 -0700
From: Matthew Garrett <matthewgarrett@...gle.com>
To: jmorris@...ei.org
Cc: linux-security@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-api@...r.kernel.org, David Howells <dhowells@...hat.com>,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
Matthew Garrett <mjg59@...gle.com>,
"Naveen N . Rao" <naveen.n.rao@...ux.ibm.com>,
Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
davem@...emloft.net, Masami Hiramatsu <mhiramat@...nel.org>
Subject: [PATCH V33 23/30] Lock down tracing and perf kprobes when in
confidentiality mode
From: David Howells <dhowells@...hat.com>
Disallow the creation of perf and ftrace kprobes when the kernel is
locked down in confidentiality mode by preventing their registration.
This prevents kprobes from being used to access kernel memory to steal
crypto data, but continues to allow the use of kprobes from signed
modules.
Reported-by: Alexei Starovoitov <alexei.starovoitov@...il.com>
Signed-off-by: David Howells <dhowells@...hat.com>
Signed-off-by: Matthew Garrett <mjg59@...gle.com>
Cc: Naveen N. Rao <naveen.n.rao@...ux.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>
Cc: davem@...emloft.net
Cc: Masami Hiramatsu <mhiramat@...nel.org>
---
include/linux/security.h | 1 +
kernel/trace/trace_kprobe.c | 4 ++++
security/lockdown/lockdown.c | 1 +
3 files changed, 6 insertions(+)
diff --git a/include/linux/security.h b/include/linux/security.h
index 6752584729e2..dae4aa83352c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -96,6 +96,7 @@ enum lockdown_reason {
LOCKDOWN_MMIOTRACE,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_KCORE,
+ LOCKDOWN_KPROBES,
LOCKDOWN_CONFIDENTIALITY_MAX,
};
diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index 5d5129b05df7..940ca20987aa 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -11,6 +11,7 @@
#include <linux/uaccess.h>
#include <linux/rculist.h>
#include <linux/error-injection.h>
+#include <linux/security.h>
#include "trace_dynevent.h"
#include "trace_kprobe_selftest.h"
@@ -415,6 +416,9 @@ static int __register_trace_kprobe(struct trace_kprobe *tk)
{
int i, ret;
+ if (security_is_locked_down(LOCKDOWN_KPROBES))
+ return -EPERM;
+
if (trace_probe_is_registered(&tk->tp))
return -EINVAL;
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 80ff4a31d8aa..89ad853daec2 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_KCORE] = "/proc/kcore access",
+ [LOCKDOWN_KPROBES] = "use of kprobes",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};
--
2.22.0.410.gd8fdbe21b5-goog
Powered by blists - more mailing lists