On Mon, 25 Mar 2019 16:42:21 -0700
Stephen Hemminger [off-list ref] wrote:

On Mon, 25 Mar 2019 15:09:50 -0700
Matthew Garrett [off-list ref] wrote:

quoted

From: David Howells <dhowells@redhat.com>

There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction.

Completely prohibit the use of BPF when the kernel is locked down.

Suggested-by: Alexei Starovoitov <redacted>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <redacted>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Matthew Garrett <redacted>  

Wouldn't this mean that Seccomp won't work in locked down mode?

Never mind. This is about bpf system call, not locking out all bpf in general.