On Mon, Mar 25, 2019 at 4:42 PM Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx> wrote: > > On Mon, 25 Mar 2019 15:09:50 -0700 > Matthew Garrett <matthewgarrett@xxxxxxxxxx> wrote: > > > From: David Howells <dhowells@xxxxxxxxxx> > > > > There are some bpf functions can be used to read kernel memory: > > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > > private keys in kernel memory (e.g. the hibernation image signing key) to > > be read by an eBPF program and kernel memory to be altered without > > restriction. > > > > Completely prohibit the use of BPF when the kernel is locked down. > > > > Suggested-by: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > > cc: netdev@xxxxxxxxxxxxxxx > > cc: Chun-Yi Lee <jlee@xxxxxxxx> > > cc: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> > > Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx> > > Signed-off-by: Matthew Garrett <matthewgarrett@xxxxxxxxxx> > > Wouldn't this mean that Seccomp won't work in locked down mode? I wasn't cc'd on this series, nor was linux-api, so it's awkward to review. A while back, I suggested an approach to actually make this stuff mergeable: submit a patch series that adds lockdown mode, enables it by command line option (and maybe sysctl) *only* and has either no effect or only a token effect. Then we can add actual features to lockdown mode one at a time and review them separately. And I'm going to complain loudly unless two things change about this whole thing: 1. Lockdown mode becomes three states, not a boolean. The states are: no lockdown, best-effort-to-protect-kernel-integrity, and best-effort-to-protect-kernel-secrecy-and-integrity. And this BPF mess illustrates why: most users will really strongly object to turning off BPF when they actually just want to protect kernel integrity. And as far as I know, things like Secure Boot policy will mostly care about integrity, not secrecy, and tracing and such should work on a normal locked-down kernel. So I think we need this knob. 2. All the proponents of this series, and the documentation, needs to document that it's best effort. There will always be security bugs, and there will always be things we miss. --Andy
