[PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode

David Howells dhowells at redhat.com
Fri Aug 30 16:32:58 UTC 2019


Matthew Garrett <matthewgarrett at google.com> wrote:

> From: David Howells <dhowells at redhat.com>
> 
> bpf_read() and bpf_read_str() could potentially be abused to (eg) allow
> private keys in kernel memory to be leaked. Disable them if the kernel
> has been locked down in confidentiality mode.
> 
> Suggested-by: Alexei Starovoitov <alexei.starovoitov at gmail.com>
> Signed-off-by: Matthew Garrett <mjg59 at google.com>
> Reviewed-by: Kees Cook <keescook at chromium.org>
> cc: netdev at vger.kernel.org
> cc: Chun-Yi Lee <jlee at suse.com>
> cc: Alexei Starovoitov <alexei.starovoitov at gmail.com>
> Cc: Daniel Borkmann <daniel at iogearbox.net>
> Signed-off-by: James Morris <jmorris at namei.org>

Signed-off-by: David Howells <dhowells at redhat.com>



More information about the Linux-security-module-archive mailing list