On Thu, Nov 09, 2017 at 04:52:05PM +0000, David Howells wrote:
> Hi,
>
> I need to lock down kprobes under secure boot conditions as part of the patch
> series that can be found here:
>
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lock-down
>
> Can you tell me that if the attached patch is sufficient to the cause?
Yes, this patch will prevent any kprobe registration.
Ananth
>
> Thanks,
> David
> ---
> commit ffb3484d6e0f1d625f8e84a6a19c139a28a52499
> Author: David Howells <dhowe...@redhat.com>
> Date: Wed Nov 8 16:14:12 2017 +0000
>
> Lock down kprobes
>
> Disallow the creation of kprobes when the kernel is locked down by
> preventing their registration. This prevents kprobes from being used to
> access kernel memory, either to make modifications or to steal crypto
> data.
>
> Reported-by: Alexei Starovoitov <alexei.starovoi...@gmail.com>
> Signed-off-by: David Howells <dhowe...@redhat.com>
>
> diff --git a/kernel/kprobes.c b/kernel/kprobes.c
> index a1606a4224e1..f06023b0936c 100644
> --- a/kernel/kprobes.c
> +++ b/kernel/kprobes.c
> @@ -1530,6 +1530,9 @@ int register_kprobe(struct kprobe *p)
> struct module *probed_mod;
> kprobe_opcode_t *addr;
>
> + if (kernel_is_locked_down("Use of kprobes"))
> + return -EPERM;
> +
> /* Adjust probe address from symbol */
> addr = kprobe_addr(p);
> if (IS_ERR(addr))
