[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190326182742.16950-23-matthewgarrett@google.com>
Date: Tue, 26 Mar 2019 11:27:38 -0700
From: Matthew Garrett <matthewgarrett@...gle.com>
To: jmorris@...ei.org
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, dhowells@...hat.com,
linux-api@...r.kernel.org, luto@...nel.org,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
Matthew Garrett <mjg59@...gle.com>, netdev@...r.kernel.org,
Chun-Yi Lee <jlee@...e.com>,
Daniel Borkmann <daniel@...earbox.net>
Subject: [PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in
confidentiality mode
From: David Howells <dhowells@...hat.com>
There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction. Disable them if the kernel has been locked down in
confidentiality mode.
Suggested-by: Alexei Starovoitov <alexei.starovoitov@...il.com>
Signed-off-by: David Howells <dhowells@...hat.com>
Signed-off-by: Matthew Garrett <mjg59@...gle.com>
cc: netdev@...r.kernel.org
cc: Chun-Yi Lee <jlee@...e.com>
cc: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: Daniel Borkmann <daniel@...earbox.net>
---
kernel/trace/bpf_trace.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 8b068adb9da1..9e8eda605b5e 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -137,6 +137,9 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
{
int ret;
+ if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+ return -EINVAL;
+
ret = probe_kernel_read(dst, unsafe_ptr, size);
if (unlikely(ret < 0))
memset(dst, 0, size);
@@ -156,6 +159,8 @@ static const struct bpf_func_proto bpf_probe_read_proto = {
BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
u32, size)
{
+ if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+ return -EINVAL;
/*
* Ensure we're in user context which is safe for the helper to
* run. This helper has no business in a kthread.
@@ -207,6 +212,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
char buf[64];
int i;
+ if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+ return -EINVAL;
+
/*
* bpf_check()->check_func_arg()->check_stack_boundary()
* guarantees that fmt points to bpf program stack,
@@ -535,6 +543,9 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size,
{
int ret;
+ if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY))
+ return -EINVAL;
+
/*
* The strncpy_from_unsafe() call will likely not fill the entire
* buffer, but that's okay in this circumstance as we're probing
--
2.21.0.392.gf8f6787159e-goog
Powered by blists - more mailing lists