[PATCH V31 21/25] Lock down kprobes when in confidentiality mode
From: Matthew Garrett
Date: Tue Mar 26 2019 - 14:29:26 EST
From: David Howells <dhowells@xxxxxxxxxx>
Disallow the creation of kprobes when the kernel is locked down in
confidentiality mode by preventing their registration. This prevents
kprobes from being used to access kernel memory to steal crypto data.
Reported-by: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>
Cc: Naveen N. Rao <naveen.n.rao@xxxxxxxxxxxxx>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@xxxxxxxxx>
Cc: davem@xxxxxxxxxxxxx
Cc: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
---
kernel/kprobes.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index f4ddfdd2d07e..b9781bd2db8c 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p)
struct module *probed_mod;
kprobe_opcode_t *addr;
+ if (kernel_is_locked_down("Use of kprobes", LOCKDOWN_CONFIDENTIALITY))
+ return -EPERM;
+
/* Adjust probe address from symbol */
addr = kprobe_addr(p);
if (IS_ERR(addr))
--
2.21.0.392.gf8f6787159e-goog