[PATCH V36 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode

[PATCH V36 00/29] security: Add kernel lockdown functionality · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 01/29] security: Support early LSMs · Matthew Garrett <hidden> · 2019-07-18
Re: [PATCH V36 01/29] security: Support early LSMs · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-18
[PATCH V36 02/29] security: Add a "locked down" LSM hook · Matthew Garrett <hidden> · 2019-07-18
Re: [PATCH V36 02/29] security: Add a "locked down" LSM hook · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-18
[PATCH V36 03/29] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 06/29] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 07/29] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 11/29] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 14/29] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 13/29] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 18/29] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-07-18
Re: [PATCH V36 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Kees Cook <hidden> · 2019-07-18
[PATCH V36 21/29] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 22/29] Lock down tracing and perf kprobes when in confidentiality mode · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-07-18
Re: [PATCH V36 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Kees Cook <hidden> · 2019-07-18
Re: [PATCH V36 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-07-29
[PATCH V36 24/29] Lock down perf when in confidentiality mode · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 27/29] tracefs: Restrict tracefs when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
Re: [PATCH V36 27/29] tracefs: Restrict tracefs when the kernel is locked down · Steven Rostedt <rostedt@goodmis.org> · 2019-07-25
[PATCH] tracefs: Restrict tracefs when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-30
Re: [PATCH] tracefs: Restrict tracefs when the kernel is locked down · Steven Rostedt <rostedt@goodmis.org> · 2019-07-31
[PATCH V36 29/29] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 26/29] debugfs: Restrict debugfs when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-07-18
Re: [PATCH V36 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-07-29
[PATCH V36 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 16/29] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 12/29] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 10/29] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 04/29] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-07-18
[PATCH V36 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-07-18

STALE2497d

From: Matthew Garrett <hidden>
Date: 2019-07-18 19:45:24
Also in: linux-api, lkml, netdev
Subsystem: bpf [general] (safe dynamic programs and tools), bpf [security & lsm] (security audit and enforcement using bpf), bpf [tracing], lockdown security module, security subsystem, the rest, tracing · Maintainers: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi, KP Singh, Matt Bobrowski, Song Liu, Nicolas Bouchinet, Xiu Jianfeng, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds, Steven Rostedt, Masami Hiramatsu

From: David Howells <dhowells@redhat.com>

bpf_read() and bpf_read_str() could potentially be abused to (eg) allow
private keys in kernel memory to be leaked. Disable them if the kernel
has been locked down in confidentiality mode.

Suggested-by: Alexei Starovoitov <redacted>
Signed-off-by: Matthew Garrett <redacted>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <redacted>
Cc: Daniel Borkmann <daniel@iogearbox.net>
---
 include/linux/security.h     |  1 +
 kernel/trace/bpf_trace.c     | 10 ++++++++++
 security/lockdown/lockdown.c |  1 +
 3 files changed, 12 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 987d8427f091..8dd1741a52cd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h

@@ -118,6 +118,7 @@ enum lockdown_reason {
 	LOCKDOWN_INTEGRITY_MAX,
 	LOCKDOWN_KCORE,
 	LOCKDOWN_KPROBES,
+	LOCKDOWN_BPF_READ,
 	LOCKDOWN_CONFIDENTIALITY_MAX,
 };

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index ca1255d14576..492a8bfaae98 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c

@@ -142,8 +142,13 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
 {
 	int ret;
 
+	ret = security_locked_down(LOCKDOWN_BPF_READ);
+	if (ret < 0)
+		goto out;
+
 	ret = probe_kernel_read(dst, unsafe_ptr, size);
 	if (unlikely(ret < 0))
+out:
 		memset(dst, 0, size);
 
 	return ret;

@@ -569,6 +574,10 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size,
 {
 	int ret;
 
+	ret = security_locked_down(LOCKDOWN_BPF_READ);
+	if (ret < 0)
+		goto out;
+
 	/*
 	 * The strncpy_from_unsafe() call will likely not fill the entire
 	 * buffer, but that's okay in this circumstance as we're probing

@@ -580,6 +589,7 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size,
 	 */
 	ret = strncpy_from_unsafe(dst, unsafe_ptr, size);
 	if (unlikely(ret < 0))
+out:
 		memset(dst, 0, size);
 
 	return ret;

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 6b123cbf3748..1b89d3e8e54d 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c

@@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_KCORE] = "/proc/kcore access",
 	[LOCKDOWN_KPROBES] = "use of kprobes",
+	[LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",
 	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
 };

-- 
2.22.0.510.g264f2c817a-goog

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help