Remove bpf restriction for now, revisit (rhbz 1622986)

2018-08-28 15:39:51 -05:00 · 2018-08-28 15:39:51 -05:00 · b5c40a84c0
commit b5c40a84c0
parent ff59239f88
1 changed files with 0 additions and 39 deletions
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@ -1525,45 +1525,6 @@ index 102160ff5c66..4f5757732553 100644
 -- 
 2.14.3

-From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 4 Apr 2018 14:45:38 +0100
-Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the
- kernel is locked down
-
-There are some bpf functions can be used to read kernel memory:
-bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
-private keys in kernel memory (e.g. the hibernation image signing key) to
-be read by an eBPF program.
-
-Completely prohibit the use of BPF when the kernel is locked down.
-
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: netdev@vger.kernel.org
-cc: Chun-Yi Lee <jlee@suse.com>
-cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
---
- kernel/bpf/syscall.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
-index 0244973ee544..7457f2676c6d 100644
--- a/kernel/bpf/syscall.c
-+++ b/kernel/bpf/syscall.c
-@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
- 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
- 		return -EPERM;
-
-+	if (kernel_is_locked_down("BPF"))
-+		return -EPERM;
-+
- 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
- 	if (err)
- 		return err;
-- 
-2.14.3
-
 From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100