[PATCH V36 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode

Matthew Garrett mjg59 at google.com
Mon Jul 29 21:47:03 UTC 2019


On Thu, Jul 18, 2019 at 12:45 PM Matthew Garrett
<matthewgarrett at google.com> wrote:
> bpf_read() and bpf_read_str() could potentially be abused to (eg) allow
> private keys in kernel memory to be leaked. Disable them if the kernel
> has been locked down in confidentiality mode.
>
> Suggested-by: Alexei Starovoitov <alexei.starovoitov at gmail.com>
> Signed-off-by: Matthew Garrett <mjg59 at google.com>
> cc: netdev at vger.kernel.org
> cc: Chun-Yi Lee <jlee at suse.com>
> cc: Alexei Starovoitov <alexei.starovoitov at gmail.com>
> Cc: Daniel Borkmann <daniel at iogearbox.net>

Any further feedback on this?



More information about the Linux-security-module-archive mailing list