On Thu, Oct 19, 2017 at 11:48:34PM +0100, David Howells wrote:

Alexei Starovoitov [off-list ref] wrote:

quoted

quoted

@@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
 {
 	int ret;
 
+	if (kernel_is_locked_down("BPF")) {
+		memset(dst, 0, size);
+		return -EPERM;
+	}

That doesn't help the lockdown purpose.
If you don't trust the root the only way to prevent bpf read
memory is to disable the whole thing.
Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down()
and don't add overhead to critical path like bpf_probe_read().

TBH, I've no idea how bpf does anything, so I can't say whether this is
better, overkill or insufficient.

ok. To make it clear:
Nacked-by: Alexei Starovoitov [off-list ref]
For the current patch.
Unnecessary checks for no good reason in performance critical
functions are not acceptable.

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html