git.baikalelectronics.ru Git - kernel.git/commit

author	David Howells <dhowells@redhat.com>
	Tue, 20 Aug 2019 00:17:58 +0000 (17:17 -0700)
committer	James Morris <jmorris@namei.org>
	Tue, 20 Aug 2019 04:54:16 +0000 (21:54 -0700)
commit	08f22635aaeb7a9b07d3b5325fd50fb45d02f15e
tree	37a2c9cbe4da7ed515a8009e49672a3853b48c67	tree \| snapshot
parent	bd350f82ce538677d62b407d30797ebe3d67aa33	commit \| diff

lockdown: Lock down tracing and perf kprobes when in confidentiality mode

Disallow the creation of perf and ftrace kprobes when the kernel is
locked down in confidentiality mode by preventing their registration.
This prevents kprobes from being used to access kernel memory to steal
crypto data, but continues to allow the use of kprobes from signed
modules.

Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: davem@davemloft.net
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>

include/linux/security.h		diff \| blob \| history
kernel/trace/trace_kprobe.c		diff \| blob \| history
security/lockdown/lockdown.c		diff \| blob \| history