| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Mar 2019 16:42:21 -0700
From: Stephen Hemminger <stephen@...workplumber.org>
To: Matthew Garrett <matthewgarrett@...gle.com>
Cc: jmorris@...ei.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, dhowells@...hat.com,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
netdev@...r.kernel.org, Chun-Yi Lee <jlee@...e.com>,
Daniel Borkmann <daniel@...earbox.net>,
Kees Cook <keescook@...omium.org>,
Andy Lutomirski <luto@...capital.net>,
Will Drewry <wad@...omium.org>
Subject: Re: [PATCH 23/27] bpf: Restrict kernel image access functions when
the kernel is locked down
On Mon, 25 Mar 2019 15:09:50 -0700
Matthew Garrett <matthewgarrett@...gle.com> wrote:
> From: David Howells <dhowells@...hat.com>
>
> There are some bpf functions can be used to read kernel memory:
> bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
> private keys in kernel memory (e.g. the hibernation image signing key) to
> be read by an eBPF program and kernel memory to be altered without
> restriction.
>
> Completely prohibit the use of BPF when the kernel is locked down.
>
> Suggested-by: Alexei Starovoitov <alexei.starovoitov@...il.com>
> Signed-off-by: David Howells <dhowells@...hat.com>
> cc: netdev@...r.kernel.org
> cc: Chun-Yi Lee <jlee@...e.com>
> cc: Alexei Starovoitov <alexei.starovoitov@...il.com>
> Cc: Daniel Borkmann <daniel@...earbox.net>
> Signed-off-by: Matthew Garrett <matthewgarrett@...gle.com>
Wouldn't this mean that Seccomp won't work in locked down mode?
Powered by blists - more mailing lists