| Message ID | 20201020210004.18977-3-konrad.wilk@oracle.com (mailing list archive) |
|---|---|
| State | RFC |
| Headers | show |
| Series | None | expand |
On Tue, Oct 20, 2020 at 04:59:59PM -0400, Konrad Rzeszutek Wilk wrote: > bpf_read() and bpf_read_str() could potentially be abused to (eg) allow > private keys in kernel memory to be leaked. Disable them if the kernel > has been locked down in confidentiality mode. > > Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> > Signed-off-by: Matthew Garrett <mjg59@google.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > cc: netdev@vger.kernel.org > cc: Chun-Yi Lee <jlee@suse.com> > cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> > Cc: Daniel Borkmann <daniel@iogearbox.net> > Signed-off-by: James Morris <jmorris@namei.org> > > [Backport notes: > The upstream version is using enums, and all that fancy code. > We are just retroffiting UEK5 a bit and just checking to > see if integrity mode has been enabled and if so then > allow it. If the default lockdown mode (confidentiality) is on > then we don't allow it.] <sigh> And that is what I get for _not_ doing --suppress-cc=all My apologies for spamming you all! <goes to hide in the corner of shame>
diff --git a/security/lock_down.c b/security/lock_down.c index 96ff1badfac0b..1b913f855d48d 100644 --- a/security/lock_down.c +++ b/security/lock_down.c @@ -57,9 +57,16 @@ void __init init_lockdown(void) */ bool __kernel_is_locked_down(const char *what, bool first) { - if (what && first && kernel_locked_down) + if (what && first && kernel_locked_down) { + /* If we are in integrity mode we allow certain callsites */ + if (!lockdown_confidentiality) { + if ((strcmp(what, "BPF") == 0)) { + return 0; + } + } pr_notice("Lockdown: %s is restricted; see man kernel_lockdown.7\n", what); + } return kernel_locked_down; } EXPORT_SYMBOL(__kernel_is_locked_down);