Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode

From: Matthew Garrett
Date: Mon Jun 24 2019 - 16:15:59 EST


On Mon, Jun 24, 2019 at 1:09 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote:

> I'm confused. I understand why we're restricting bpf_probe_read().
> Why are we restricting bpf_probe_write_user() and bpf_trace_printk(),
> though?

Hmm. I think the thinking here was around exfiltration mechanisms, but
if the read is blocked then that seems less likely. This seems to
trace back to http://kernsec.org/pipermail/linux-security-module-archive/2017-October/003545.html
- Joey, do you know the reasoning here?