From patchwork Thu Nov 9 16:44:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 10051295 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7F99B60631 for ; Thu, 9 Nov 2017 16:44:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A5C92AC50 for ; Thu, 9 Nov 2017 16:44:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5E8682AE96; Thu, 9 Nov 2017 16:44:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E5F972AFFE for ; Thu, 9 Nov 2017 16:44:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753216AbdKIQop convert rfc822-to-8bit (ORCPT ); Thu, 9 Nov 2017 11:44:45 -0500 Received: from mx1.redhat.com ([209.132.183.28]:46878 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753112AbdKIQoo (ORCPT ); Thu, 9 Nov 2017 11:44:44 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5B2807E380; Thu, 9 Nov 2017 16:44:44 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-14.rdu2.redhat.com [10.10.121.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id DB63A6E53D; Thu, 9 Nov 2017 16:44:42 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells To: To:; Cc: dhowells@redhat.com, alexei.starovoitov@gmail.com, Anil S Keshavamurthy , "David S. Miller" , Masami Hiramatsu , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC][PATCH] Lock down kprobes MIME-Version: 1.0 Content-ID: <11289.1510245882.1@warthog.procyon.org.uk> Date: Thu, 09 Nov 2017 16:44:42 +0000 Message-ID: <11290.1510245882@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 09 Nov 2017 16:44:44 +0000 (UTC) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Hi, I need to lock down kprobes under secure boot conditions as part of the patch series that can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down Can you tell me that if the attached patch is sufficient to the cause? Thanks, David --- commit ffb3484d6e0f1d625f8e84a6a19c139a28a52499 Author: David Howells Date: Wed Nov 8 16:14:12 2017 +0000 Lock down kprobes Disallow the creation of kprobes when the kernel is locked down by preventing their registration. This prevents kprobes from being used to access kernel memory, either to make modifications or to steal crypto data. Reported-by: Alexei Starovoitov Signed-off-by: David Howells -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel/kprobes.c b/kernel/kprobes.c index a1606a4224e1..f06023b0936c 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1530,6 +1530,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes")) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr))