Remove bpf restriction for now, revisit (rhbz 1622986)

2018-08-28 15:39:51 -05:00 · 2018-08-28 15:39:51 -05:00 · b5c40a84c0
commit b5c40a84c0
parent ff59239f88
1 changed files with 0 additions and 39 deletions
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@ -1525,45 +1525,6 @@ index 102160ff5c66..4f5757732553 100644
 -- 
 2.14.3
 From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100
 Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the
 kernel is locked down
 There are some bpf functions can be used to read kernel memory:
 bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
 private keys in kernel memory (e.g. the hibernation image signing key) to
 be read by an eBPF program.
 Completely prohibit the use of BPF when the kernel is locked down.
 Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
 Signed-off-by: David Howells <dhowells@redhat.com>
 cc: netdev@vger.kernel.org
 cc: Chun-Yi Lee <jlee@suse.com>
 cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
 ---
 kernel/bpf/syscall.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
 index 0244973ee544..7457f2676c6d 100644
 --- a/kernel/bpf/syscall.c
 +++ b/kernel/bpf/syscall.c
@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 +	if (kernel_is_locked_down("BPF"))
 +		return -EPERM;
 +
 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
 	if (err)
 		return err;
 -- 
 2.14.3
 From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100