git.baikalelectronics.ru Git - kernel.git/commit

author	David Howells <dhowells@redhat.com>
	Tue, 20 Aug 2019 00:17:59 +0000 (17:17 -0700)
committer	James Morris <jmorris@namei.org>
	Tue, 20 Aug 2019 04:54:16 +0000 (21:54 -0700)
commit	5d556d2cb2eecf02aa64f354be6f0ba19af9350a
tree	fc926ba08f6b2b69c2b9341de2a16d2870b25bda	tree \| snapshot
parent	08f22635aaeb7a9b07d3b5325fd50fb45d02f15e	commit \| diff

bpf: Restrict bpf when kernel lockdown is in confidentiality mode

bpf_read() and bpf_read_str() could potentially be abused to (eg) allow
private keys in kernel memory to be leaked. Disable them if the kernel
has been locked down in confidentiality mode.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: James Morris <jmorris@namei.org>

include/linux/security.h		diff \| blob \| history
kernel/trace/bpf_trace.c		diff \| blob \| history
security/lockdown/lockdown.c		diff \| blob \| history