[PATCH 22/27] Lock down kprobes

Matthew Garrett matthewgarrett at google.com
Mon Mar 25 22:09:49 UTC 2019

From: David Howells <dhowells at redhat.com>

Disallow the creation of kprobes when the kernel is locked down by
preventing their registration.  This prevents kprobes from being used to
access kernel memory, either to make modifications or to steal crypto data.

Reported-by: Alexei Starovoitov <alexei.starovoitov at gmail.com>
Signed-off-by: David Howells <dhowells at redhat.com>
Signed-off-by: Matthew Garrett <matthewgarrett at google.com>
Cc: Naveen N. Rao <naveen.n.rao at linux.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy at intel.com>
Cc: davem at davemloft.net
Cc: Masami Hiramatsu <mhiramat at kernel.org>
 kernel/kprobes.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f4ddfdd2d07e..6f66cca8e2c6 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p)
 	struct module *probed_mod;
 	kprobe_opcode_t *addr;
+	if (kernel_is_locked_down("Use of kprobes"))
+		return -EPERM;
 	/* Adjust probe address from symbol */
 	addr = kprobe_addr(p);
 	if (IS_ERR(addr))

More information about the Linux-security-module-archive mailing list