Re: [PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down
From: Andy Lutomirski <luto@kernel.org>
Date: 2019-03-26 00:10:15
Also in:
linux-api, linux-security-module, lkml
On Mon, Mar 25, 2019 at 4:42 PM Stephen Hemminger [off-list ref] wrote:
On Mon, 25 Mar 2019 15:09:50 -0700 Matthew Garrett [off-list ref] wrote:quoted
From: David Howells <dhowells@redhat.com> There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction. Completely prohibit the use of BPF when the kernel is locked down. Suggested-by: Alexei Starovoitov <redacted> Signed-off-by: David Howells <dhowells@redhat.com> cc: netdev@vger.kernel.org cc: Chun-Yi Lee <jlee@suse.com> cc: Alexei Starovoitov <redacted> Cc: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Matthew Garrett <redacted>Wouldn't this mean that Seccomp won't work in locked down mode?
I wasn't cc'd on this series, nor was linux-api, so it's awkward to review. A while back, I suggested an approach to actually make this stuff mergeable: submit a patch series that adds lockdown mode, enables it by command line option (and maybe sysctl) *only* and has either no effect or only a token effect. Then we can add actual features to lockdown mode one at a time and review them separately. And I'm going to complain loudly unless two things change about this whole thing: 1. Lockdown mode becomes three states, not a boolean. The states are: no lockdown, best-effort-to-protect-kernel-integrity, and best-effort-to-protect-kernel-secrecy-and-integrity. And this BPF mess illustrates why: most users will really strongly object to turning off BPF when they actually just want to protect kernel integrity. And as far as I know, things like Secure Boot policy will mostly care about integrity, not secrecy, and tracing and such should work on a normal locked-down kernel. So I think we need this knob. 2. All the proponents of this series, and the documentation, needs to document that it's best effort. There will always be security bugs, and there will always be things we miss. --Andy