From patchwork Mon Mar 25 22:09:50 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <matthewgarrett@google.com>
X-Patchwork-Id: 1064871
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none)
	header.from=google.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="PPz0adFx"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44SpPM0fFXz9sRj
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 26 Mar 2019 09:11:03 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1731204AbfCYWLB (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 25 Mar 2019 18:11:01 -0400
Received: from mail-qk1-f202.google.com ([209.85.222.202]:40050 "EHLO
	mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1731190AbfCYWK7 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 25 Mar 2019 18:10:59 -0400
Received: by mail-qk1-f202.google.com with SMTP id l187so9930133qkd.7
	for <netdev@vger.kernel.org>; Mon, 25 Mar 2019 15:10:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=date:in-reply-to:message-id:mime-version:references:subject:from:to
	:cc; bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=;
	b=PPz0adFxRnIhJCiW1dvfFqZx3Mh9sgICPD1y8AZBgFx6LZXJkci0PCoGUL8wjSX9Nf
	h9asMewLvjeCYovlpTTwhQOEiG6aj2hc7hSDk4/IyhhwBSgqpWj3QlDSdNTvpbzB3N7R
	0ZtDDUJvNzb8GbuWfO50FjRp1onycdASeX1OQbR43J99LKeo4zmSIFVAZ5J+S0fB6pXS
	JvAGxNN//FwYcAzUadWvCWpGZqLyZWvKF+qcQhXQNV3TvpGOhhevmSCp9YYif/rOohlQ
	/uxJMY7Na89Y/BRUx+mkD27bASvozs3tqRTBlVkKf8hSPVvLh4RkgJnnqL0VSacDBbvA
	r61A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:in-reply-to:message-id:mime-version
	:references:subject:from:to:cc;
	bh=J8bb8AG4h+6OBkHfL5HeKw0AzZuFO45maHYBjqWjP14=;
	b=qK/giRggzwHu99qRaHhz/lQf+j1ZH2QdaSukgJ/Pp/8WcFr5kFkSbi1CgwrwjkOOu4
	zpaYH9LIIPZwFhR1M9K97jE8vb5mrRjs5/VSstmDXsh4OFvKg/seYSo7s9pnFOYLdcz4
	PKhr4fVYR4L0+44TnSWJFxazDhuMU1wgdvlBuzf/1Yn3u6MCsVo8BtvrX7vZdnDw7m+S
	OLKu4vMnGGe2QeDRC35rk16hvHMETgWcnKJTlECBadkSJb0JwK/vuABpgJgqivJFbrPb
	p5xU1GkYihAzCKbu1pDZC1lvE1S8YYsObakDXHf2wNENABw8kO3/H6gXH1Ya3dQnYP1A
	jHEw==
X-Gm-Message-State: APjAAAWLK7sWH2MHMLLjpMA3yJ3Cs5G4A5gJRv++brnKbu3A1HEP61Yk
	5hhRp0wMZc9LQF1w3de2OTEu3w9DixHKgVt0XusKSA==
X-Google-Smtp-Source: 
 APXvYqwFVFlq0p8BONzLBrYkCyHjaR3SnRyeXjk4F7y76T0DeGn+KK3s010oor2ZvbMe0U/S7B4g3FHOZ4pqAHtO4eEhpg==
X-Received: by 2002:a05:620a:1383:: with SMTP id
	k3mr13843472qki.346.1553551858792;
	Mon, 25 Mar 2019 15:10:58 -0700 (PDT)
Date: Mon, 25 Mar 2019 15:09:50 -0700
In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com>
Message-Id: <20190325220954.29054-24-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190325220954.29054-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH 23/27] bpf: Restrict kernel image access functions when the
	kernel is locked down
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, dhowells@redhat.com,
	Alexei Starovoitov <alexei.starovoitov@gmail.com>,
	netdev@vger.kernel.org, Chun-Yi Lee <jlee@suse.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Matthew Garrett <matthewgarrett@google.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: David Howells <dhowells@redhat.com>

There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction.

Completely prohibit the use of BPF when the kernel is locked down.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 kernel/bpf/syscall.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index b155cd17c1bd..2cde39a875aa 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2585,6 +2585,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
+	if (kernel_is_locked_down("BPF"))
+		return -EPERM;
+
 	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
 	if (err)
 		return err;