From patchwork Tue Mar 26 18:27:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10871957 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6FC191669 for ; Tue, 26 Mar 2019 18:29:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C100271E6 for ; Tue, 26 Mar 2019 18:29:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4FC4528382; Tue, 26 Mar 2019 18:29:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDC6A271E6 for ; Tue, 26 Mar 2019 18:29:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732858AbfCZS2w (ORCPT ); Tue, 26 Mar 2019 14:28:52 -0400 Received: from mail-ot1-f73.google.com ([209.85.210.73]:41506 "EHLO mail-ot1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732853AbfCZS2v (ORCPT ); Tue, 26 Mar 2019 14:28:51 -0400 Received: by mail-ot1-f73.google.com with SMTP id 31so8843655ota.8 for ; Tue, 26 Mar 2019 11:28:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=lv/FPdRA1RfB3vLPLo6Ht+4Uq/7S0A/5brocYyTzI3Cf2VUnSQ0RmEPSquMVKX6uD/ zrJp1bviYSiy6SZJcrSi/SnU87S//a3xTTx7d70ujTGBa19BZ9d9eIyQ09yXI5ydGDm3 smeM5uI0HkkoRudgW/7BwSzvYdn15I5Yz2VcXUuI/bHa1I+JU653xnazjSzECXoneTPe v1cOzCuVgxkyoJ9o43anec390AhCSqaQ43q4Y/AlB4htB/+T7rAzeG+CKI6r+eVG7ng+ iYwL4rTtcFO/MU3+KOdZahY6L4QxGGU3QfQMGKQiCJGn8N0OSOLJy8xVW6rUeAIuOxsx c/+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/UVUOH/6siV2b/2LDB8wDIhEmSTMU547j99QGLitSA4=; b=OJle4q9feW8qaTDam7jtr/Vhwcj7I7e85X4F12Hw2gziMeEvcM41gZIp+AdjatdixZ 84i+itGjwHkGH88gTBm+aR/iHbaqj9qUNNp2KtfbChigtVV3/VJxlQxYe9/X0JuOQznO F67Jhhs6Vstj1Uku7G3xHZ2s+Zwl7bzyIpWUPohtKBHYwDbnSXDX3u2+V0qymZeLVNl0 qqTvMBV0VnrIaFfR1dyqLJ06A0qN4Aec5ZQAR6d9HPfu4yl2qYmtyxPs3jdM5jVtvYf9 Z40OVk3kSzdV5zMYxwlA5i4Ih7Q0Jok5HzFb0CJyKc2cZKBtqQMKV9HYIGVrOaXTT5f0 mB+w== X-Gm-Message-State: APjAAAWPvK7CK1jS0WvqZ6zg79IOP7dYtSjvmwLhbVKTIFqlEyDEn60P eGz5e5avFxr8WD6CZN1mU70nnBP9Ky0KV0N5cJAp5g== X-Google-Smtp-Source: APXvYqyAbat3PPV8AUkDGHHq4kmMbVqdPiRxqPB9rTmjyAlQ7tu5Vz3fAT5SgF1mWOwG5CrW9kJuVlZEyPz2qkjecy/Upg== X-Received: by 2002:aca:558d:: with SMTP id j135mr16551138oib.49.1553624930168; Tue, 26 Mar 2019 11:28:50 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:38 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-23-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Alexei Starovoitov , Matthew Garrett , netdev@vger.kernel.org, Chun-Yi Lee , Daniel Borkmann Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: David Howells There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Disable them if the kernel has been locked down in confidentiality mode. Suggested-by: Alexei Starovoitov Signed-off-by: David Howells Signed-off-by: Matthew Garrett cc: netdev@vger.kernel.org cc: Chun-Yi Lee cc: Alexei Starovoitov Cc: Daniel Borkmann --- kernel/trace/bpf_trace.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 8b068adb9da1..9e8eda605b5e 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -137,6 +137,9 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) memset(dst, 0, size); @@ -156,6 +159,8 @@ static const struct bpf_func_proto bpf_probe_read_proto = { BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, u32, size) { + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; /* * Ensure we're in user context which is safe for the helper to * run. This helper has no business in a kthread. @@ -207,6 +212,9 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, char buf[64]; int i; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * bpf_check()->check_func_arg()->check_stack_boundary() * guarantees that fmt points to bpf program stack, @@ -535,6 +543,9 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; + if (kernel_is_locked_down("BPF", LOCKDOWN_CONFIDENTIALITY)) + return -EINVAL; + /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing