[PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode

From: Matthew Garrett
Date: Fri Jun 21 2019 - 20:06:09 EST

Next message: Song Liu: "[PATCH v6 4/6] khugepaged: rename collapse_shmem() and khugepaged_scan_shmem()"
Previous message: Matthew Garrett: "[PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode"
In reply to: Kees Cook: "Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode"
Next in thread: Kees Cook: "Re: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells <dhowells@xxxxxxxxxx>

Disallow the creation of perf and ftrace kprobes when the kernel is
locked down in confidentiality mode by preventing their registration.
This prevents kprobes from being used to access kernel memory to steal
crypto data, but continues to allow the use of kprobes from signed
modules.

Reported-by: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>
Cc: Naveen N. Rao <naveen.n.rao@xxxxxxxxxxxxx>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@xxxxxxxxx>
Cc: davem@xxxxxxxxxxxxx
Cc: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
---
include/linux/security.h | 1 +
kernel/trace/trace_kprobe.c | 5 +++++
security/lockdown/lockdown.c | 1 +
3 files changed, 7 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 3875f6df2ecc..e6e3e2403474 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -96,6 +96,7 @@ enum lockdown_reason {
LOCKDOWN_MMIOTRACE,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_KCORE,
+ LOCKDOWN_KPROBES,
LOCKDOWN_CONFIDENTIALITY_MAX,
};

diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index 5d5129b05df7..5a76a0f79d48 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -11,6 +11,7 @@
#include <linux/uaccess.h>
#include <linux/rculist.h>
#include <linux/error-injection.h>
+#include <linux/security.h>

#include "trace_dynevent.h"
#include "trace_kprobe_selftest.h"
@@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk)
{
int i, ret;

+ ret = security_locked_down(LOCKDOWN_KPROBES);
+ if (ret)
+ return ret;
+
if (trace_probe_is_registered(&tk->tp))
return -EINVAL;

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 4c9b324dfc55..5a08c17f224d 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_KCORE] = "/proc/kcore access",
+ [LOCKDOWN_KPROBES] = "use of kprobes",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};

--
2.22.0.410.gd8fdbe21b5-goog

Next message: Song Liu: "[PATCH v6 4/6] khugepaged: rename collapse_shmem() and khugepaged_scan_shmem()"
Previous message: Matthew Garrett: "[PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode"
In reply to: Kees Cook: "Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode"
Next in thread: Kees Cook: "Re: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]