On Mon, Jun 24, 2019 at 2:22 PM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote: > Agree, for example, bpf_probe_write_user() can never write into > kernel memory (only user one). Just thinking out loud, wouldn't it > be cleaner and more generic to perform this check at the actual function > which performs the kernel memory without faulting? All three of these > are in mm/maccess.c, and the very few occasions that override the > probe_kernel_read symbol are calling eventually into __probe_kernel_read(), > so this would catch all of them wrt lockdown restrictions. Otherwise > you'd need to keep tracking every bit of new code being merged that > calls into one of these, no? That way you only need to do it once like > below and are guaranteed that the check catches these in future as well. Not all paths into probe_kernel_read/write are from entry points that need to be locked down (eg, as far as I can tell ftrace can't leak anything interesting here).
