From b5c40a84c0054fb8a26f568305e5408dc25e758e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 28 Aug 2018 15:39:51 -0500 Subject: [PATCH] Remove bpf restriction for now, revisit (rhbz 1622986) --- efi-lockdown.patch | 39 --------------------------------------- 1 file changed, 39 deletions(-) diff --git a/efi-lockdown.patch b/efi-lockdown.patch index 4e6ed15c2..4f84f4715 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1525,45 +1525,6 @@ index 102160ff5c66..4f5757732553 100644 -- 2.14.3 -From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the - kernel is locked down - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program. - -Completely prohibit the use of BPF when the kernel is locked down. - -Suggested-by: Alexei Starovoitov -Signed-off-by: David Howells -cc: netdev@vger.kernel.org -cc: Chun-Yi Lee -cc: Alexei Starovoitov ---- - kernel/bpf/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 0244973ee544..7457f2676c6d 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz - if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); - if (err) - return err; --- -2.14.3 - From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 4 Apr 2018 14:45:38 +0100