On Tuesday, March 26, 2019 12:00 AM, Daniel Borkmann [off-list ref] wrote:

On 03/26/2019 12:42 AM, Stephen Hemminger wrote:

quoted

On Mon, 25 Mar 2019 15:09:50 -0700
Matthew Garrett matthewgarrett@google.com wrote:

quoted

From: David Howells dhowells@redhat.com
There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction.

I'm not sure where 'kernel memory to be altered without restriction' comes
from, but it's definitely a wrong statement.

quoted

quoted

Completely prohibit the use of BPF when the kernel is locked down.

In which scenarios will the lock-down mode be used? Mostly niche? I'm asking
as this would otherwise break a lot of existing stuff ... I'd prefer you find
a better solution to this than this straight -EPERM rejection.

AFAIK this change breaks IPAddressAllow/IPAddressDeny usage in systemd services
which makes them LESS secure.

https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
https://github.com/systemd/systemd/blob/04d7ca022843913fba5170c40be07acf2ab5902b/README#L96

Jordan