[PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode

Matthew Garrett mjg59 at google.com
Mon Jun 24 21:30:46 UTC 2019


On Mon, Jun 24, 2019 at 2:22 PM Daniel Borkmann <daniel at iogearbox.net> wrote:
> Agree, for example, bpf_probe_write_user() can never write into
> kernel memory (only user one). Just thinking out loud, wouldn't it
> be cleaner and more generic to perform this check at the actual function
> which performs the kernel memory without faulting? All three of these
> are in mm/maccess.c, and the very few occasions that override the
> probe_kernel_read symbol are calling eventually into __probe_kernel_read(),
> so this would catch all of them wrt lockdown restrictions. Otherwise
> you'd need to keep tracking every bit of new code being merged that
> calls into one of these, no? That way you only need to do it once like
> below and are guaranteed that the check catches these in future as well.

Not all paths into probe_kernel_read/write are from entry points that
need to be locked down (eg, as far as I can tell ftrace can't leak
anything interesting here).



More information about the Linux-security-module-archive mailing list