[PATCH 22/27] Lock down kprobes
Matthew Garrett
matthewgarrett at google.com
Mon Mar 25 22:09:49 UTC 2019
From: David Howells <dhowells at redhat.com>
Disallow the creation of kprobes when the kernel is locked down by
preventing their registration. This prevents kprobes from being used to
access kernel memory, either to make modifications or to steal crypto data.
Reported-by: Alexei Starovoitov <alexei.starovoitov at gmail.com>
Signed-off-by: David Howells <dhowells at redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett at google.com>
Cc: Naveen N. Rao <naveen.n.rao at linux.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy at intel.com>
Cc: davem at davemloft.net
Cc: Masami Hiramatsu <mhiramat at kernel.org>
---
kernel/kprobes.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f4ddfdd2d07e..6f66cca8e2c6 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p)
struct module *probed_mod;
kprobe_opcode_t *addr;
+ if (kernel_is_locked_down("Use of kprobes"))
+ return -EPERM;
+
/* Adjust probe address from symbol */
addr = kprobe_addr(p);
if (IS_ERR(addr))
--
2.21.0.392.gf8f6787159e-goog
More information about the Linux-security-module-archive
mailing list