[V31,21/25] Lock down kprobes when in confidentiality mode

Message ID	20190326182742.16950-22-matthewgarrett@google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> Date: Tue, 26 Mar 2019 11:27:37 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-22-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> Subject: [PATCH V31 21/25] Lock down kprobes when in confidentiality mode From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alexei Starovoitov <alexei.starovoitov@gmail.com>, Matthew Garrett <mjg59@google.com>, "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>, Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>, davem@davemloft.net, Masami Hiramatsu <mhiramat@kernel.org> Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	Add support for kernel lockdown \| expand [V31,00/25] Add support for kernel lockdown [V31,01/25] Add the ability to lock down access to the running kernel image [V31,02/25] Enforce module signatures if the kernel is locked down [V31,03/25] Restrict /dev/{mem,kmem,port} when the kernel is locked down [V31,04/25] kexec_load: Disable at runtime if the kernel is locked down [V31,05/25] Copy secure_boot flag in boot params across kexec reboot [V31,06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE [V31,07/25] kexec_file: Restrict at runtime if the kernel is locked down [V31,08/25] hibernate: Disable when the kernel is locked down [V31,09/25] uswsusp: Disable when the kernel is locked down [V31,10/25] PCI: Lock down BAR access when the kernel is locked down [V31,11/25] x86: Lock down IO port access when the kernel is locked down [V31,12/25] x86/msr: Restrict MSR access when the kernel is locked down [V31,13/25] ACPI: Limit access to custom_method when the kernel is locked down [V31,14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down [V31,15/25] acpi: Disable ACPI table override if the kernel is locked down [V31,16/25] Prohibit PCMCIA CIS storage when the kernel is locked down [V31,17/25] Lock down TIOCSSERIAL [V31,18/25] Lock down module params that specify hardware parameters (eg. ioport) [V31,19/25] x86/mmiotrace: Lock down the testmmiotrace module [V31,20/25] Lock down /proc/kcore [V31,21/25] Lock down kprobes when in confidentiality mode [V31,22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode [V31,23/25] Lock down perf when in confidentiality mode [V31,24/25] lockdown: Print current->comm in restriction messages [V31,25/25] debugfs: Disable open() when kernel is locked down

Message ID

20190326182742.16950-22-matthewgarrett@google.com (mailing list archive)

State

New, archived

Headers

Date: Tue, 26 Mar 2019 11:27:37 -0700
In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com>
Message-Id: <20190326182742.16950-22-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190326182742.16950-1-matthewgarrett@google.com>
Subject: [PATCH V31 21/25] Lock down kprobes when in confidentiality mode
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        Matthew Garrett <mjg59@google.com>,
        "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>,
        Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>,
        davem@davemloft.net, Masami Hiramatsu <mhiramat@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

Add support for kernel lockdown | expand

Commit Message

Matthew Garrett March 26, 2019, 6:27 p.m. UTC

From: David Howells <dhowells@redhat.com>

Disallow the creation of kprobes when the kernel is locked down in
confidentiality mode by preventing their registration.  This prevents
kprobes from being used to access kernel memory to steal crypto data.

Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: davem@davemloft.net
Cc: Masami Hiramatsu <mhiramat@kernel.org>
---
 kernel/kprobes.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f4ddfdd2d07e..b9781bd2db8c 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1552,6 +1552,9 @@  int register_kprobe(struct kprobe *p)
 	struct module *probed_mod;
 	kprobe_opcode_t *addr;
 
+	if (kernel_is_locked_down("Use of kprobes", LOCKDOWN_CONFIDENTIALITY))
+		return -EPERM;
+
 	/* Adjust probe address from symbol */
 	addr = kprobe_addr(p);
 	if (IS_ERR(addr))

[V31,21/25] Lock down kprobes when in confidentiality mode

Commit Message

Patch