Remove bpf restriction for now, revisit (rhbz 1622986)
This commit is contained in:
parent
ff59239f88
commit
b5c40a84c0
@ -1525,45 +1525,6 @@ index 102160ff5c66..4f5757732553 100644
|
|||||||
--
|
--
|
||||||
2.14.3
|
2.14.3
|
||||||
|
|
||||||
From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Howells <dhowells@redhat.com>
|
|
||||||
Date: Wed, 4 Apr 2018 14:45:38 +0100
|
|
||||||
Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the
|
|
||||||
kernel is locked down
|
|
||||||
|
|
||||||
There are some bpf functions can be used to read kernel memory:
|
|
||||||
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
|
|
||||||
private keys in kernel memory (e.g. the hibernation image signing key) to
|
|
||||||
be read by an eBPF program.
|
|
||||||
|
|
||||||
Completely prohibit the use of BPF when the kernel is locked down.
|
|
||||||
|
|
||||||
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
||||||
cc: netdev@vger.kernel.org
|
|
||||||
cc: Chun-Yi Lee <jlee@suse.com>
|
|
||||||
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
|
|
||||||
---
|
|
||||||
kernel/bpf/syscall.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
|
|
||||||
index 0244973ee544..7457f2676c6d 100644
|
|
||||||
--- a/kernel/bpf/syscall.c
|
|
||||||
+++ b/kernel/bpf/syscall.c
|
|
||||||
@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
|
|
||||||
if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
|
|
||||||
return -EPERM;
|
|
||||||
|
|
||||||
+ if (kernel_is_locked_down("BPF"))
|
|
||||||
+ return -EPERM;
|
|
||||||
+
|
|
||||||
err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
|
|
||||||
if (err)
|
|
||||||
return err;
|
|
||||||
--
|
|
||||||
2.14.3
|
|
||||||
|
|
||||||
From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
|
From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Wed, 4 Apr 2018 14:45:38 +0100
|
Date: Wed, 4 Apr 2018 14:45:38 +0100
|
||||||
|
Loading…
Reference in New Issue
Block a user