[PATCH V35 22/29] Lock down tracing and perf kprobes when in confidentiality mode

From: Matthew Garrett
Date: Mon Jul 15 2019 - 16:01:00 EST

Next message: Matthew Garrett: "[PATCH V35 24/29] Lock down perf when in confidentiality mode"
Previous message: Matthew Garrett: "[PATCH V35 19/29] Lock down module params that specify hardware parameters (eg. ioport)"
In reply to: James Morris: "Re: [PATCH V35 19/29] Lock down module params that specify hardware parameters (eg. ioport)"
Next in thread: Matthew Garrett: "[PATCH V35 24/29] Lock down perf when in confidentiality mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells <dhowells@xxxxxxxxxx>

Disallow the creation of perf and ftrace kprobes when the kernel is
locked down in confidentiality mode by preventing their registration.
This prevents kprobes from being used to access kernel memory to steal
crypto data, but continues to allow the use of kprobes from signed
modules.

Reported-by: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>
Acked-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Naveen N. Rao <naveen.n.rao@xxxxxxxxxxxxx>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@xxxxxxxxx>
Cc: davem@xxxxxxxxxxxxx
Cc: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
---
include/linux/security.h | 1 +
kernel/trace/trace_kprobe.c | 5 +++++
security/lockdown/lockdown.c | 1 +
3 files changed, 7 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index f0cffd0977d3..987d8427f091 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -117,6 +117,7 @@ enum lockdown_reason {
LOCKDOWN_MMIOTRACE,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_KCORE,
+ LOCKDOWN_KPROBES,
LOCKDOWN_CONFIDENTIALITY_MAX,
};

diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index 7d736248a070..fcb28b0702b2 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -11,6 +11,7 @@
#include <linux/uaccess.h>
#include <linux/rculist.h>
#include <linux/error-injection.h>
+#include <linux/security.h>

#include "trace_dynevent.h"
#include "trace_kprobe_selftest.h"
@@ -415,6 +416,10 @@ static int __register_trace_kprobe(struct trace_kprobe *tk)
{
int i, ret;

+ ret = security_locked_down(LOCKDOWN_KPROBES);
+ if (ret)
+ return ret;
+
if (trace_probe_is_registered(&tk->tp))
return -EINVAL;

diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 9c097240a3a6..ccb3e9a2a47c 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -32,6 +32,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_KCORE] = "/proc/kcore access",
+ [LOCKDOWN_KPROBES] = "use of kprobes",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};

--
2.22.0.510.g264f2c817a-goog

Next message: Matthew Garrett: "[PATCH V35 24/29] Lock down perf when in confidentiality mode"
Previous message: Matthew Garrett: "[PATCH V35 19/29] Lock down module params that specify hardware parameters (eg. ioport)"
In reply to: James Morris: "Re: [PATCH V35 19/29] Lock down module params that specify hardware parameters (eg. ioport)"
Next in thread: Matthew Garrett: "[PATCH V35 24/29] Lock down perf when in confidentiality mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]