From patchwork Thu Feb 28 23:12:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 10834251
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8355C139A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu, 28 Feb 2019 23:13:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 71F7B2FC45
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu, 28 Feb 2019 23:13:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 630912FC41; Thu, 28 Feb 2019 23:13:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 50DCD2FC41
	for <patchwork-linux-security-module@patchwork.kernel.org>;
 Thu, 28 Feb 2019 23:13:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731073AbfB1XNg (ORCPT
        <rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
        Thu, 28 Feb 2019 18:13:36 -0500
Received: from mail-oi1-f202.google.com ([209.85.167.202]:48998 "EHLO
        mail-oi1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388151AbfB1XNH (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Thu, 28 Feb 2019 18:13:07 -0500
Received: by mail-oi1-f202.google.com with SMTP id p65so9044140oib.15
        for <linux-security-module@vger.kernel.org>;
 Thu, 28 Feb 2019 15:13:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=587I7do7VgxQ57ltQWC5RYKCBbhcordnhHm7PVPlrfA=;
        b=sbWK4YE0HC80ETP/khZWToJ0cY/+JZs2pKZzeqO1jHXpQLJR84Q1N85z026hYQyuB3
         LeV0T57ywlzszxahT2vl/qZUIVwhBikEiOeJ0MbD+DOwdCmXusrvPnZMVNg6l1tievGR
         f8FKwhIb0yArv5Q4zkGy69wseUmP6EnDPUmydSvSYXVyM8Bs5Db1sLbsk66kaL63Nr7U
         4GZ4DhjEzgipUCGH8blHScAGTgIWf+FjggAhdKmeUbv42UA1ivgbihlAxXVyeRj75ZSu
         b+bLBp03z512RhDnhKfLybHJrLmLP+GTVdf3MJquifWC4bLlksxJ84N5WGRpdTmRqUGQ
         J1MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=587I7do7VgxQ57ltQWC5RYKCBbhcordnhHm7PVPlrfA=;
        b=VSOTkgCeQBSvUF5tE0egM0bSchMpZDgHUlFduL4hepzY2+R10J4qyYMiBdlwEvNYnP
         5WHRtdU36wLXJe2H+L8dNKJJaYm///9XXtChuhCJRB/SOgPnGN/7jCvVBBLfMfVrvwVg
         TUDnqEno0XzFgpob+J0mRcbfZdgV/m/SvoSZnpY9w87h84Ir1wHniCpzejRLm1vt5p4s
         DhTjsJ67L2tcUo4ytYIYCG/A0zRFwckC/sNhON8UO3epGDY5HA03x5dVTrKfRHejUJHZ
         2FmLVfBLyuEo2/LJTZOeBIr7BHBo0ZuG3Zry63bC0V3H12snQQtDrliUM5BLpa9xCOVo
         8VOg==
X-Gm-Message-State: APjAAAUWpZM5P11dK0Wf41fgBpCRkLbjPjuykYE5BynTrA2e6zWn5yxF
        XuKmY6Iq5bkWtBN9k2M2riB4hkF8sVvp3XFOaQbjqA==
X-Google-Smtp-Source: 
 APXvYqzOiv/mL97RdQqgTV+SouP3a/ir0Fmjes/HKCMDAbGlipGiqFHPSNi7JMtsJsXvmAuEhbuhiYDZK3zdSUUKm7AtYA==
X-Received: by 2002:a9d:6c58:: with SMTP id g24mr1304166otq.10.1551395586760;
 Thu, 28 Feb 2019 15:13:06 -0800 (PST)
Date: Thu, 28 Feb 2019 15:12:00 -0800
In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com>
Message-Id: <20190228231203.212359-24-matthewgarrett@google.com>
Mime-Version: 1.0
References: 
 <CACdnJuvW47m3JvEcuEX1bsr+L2Ht9LDn_iCuPbHLOoaohOFW4Q@mail.gmail.com>
 <20190228231203.212359-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 24/27] bpf: Restrict kernel image access functions when the
 kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Howells <dhowells@redhat.com>

There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction.

Completely prohibit the use of BPF when the kernel is locked down.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
---
 kernel/bpf/syscall.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 8577bb7f8be6..e78dbe5473c9 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2593,6 +2593,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
+	if (kernel_is_locked_down("BPF"))
+		return -EPERM;
+
 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
 	if (err)
 		return err;