From: David Howells <[email protected]> Disallow the creation of kprobes when the kernel is locked down in confidentiality mode by preventing their registration. This prevents kprobes from being used to access kernel memory to steal crypto data.
Reported-by: Alexei Starovoitov <[email protected]> Signed-off-by: David Howells <[email protected]> Signed-off-by: Matthew Garrett <[email protected]> Cc: Naveen N. Rao <[email protected]> Cc: Anil S Keshavamurthy <[email protected]> Cc: [email protected] Cc: Masami Hiramatsu <[email protected]> --- kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index f4ddfdd2d07e..b9781bd2db8c 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1552,6 +1552,9 @@ int register_kprobe(struct kprobe *p) struct module *probed_mod; kprobe_opcode_t *addr; + if (kernel_is_locked_down("Use of kprobes", LOCKDOWN_CONFIDENTIALITY)) + return -EPERM; + /* Adjust probe address from symbol */ addr = kprobe_addr(p); if (IS_ERR(addr)) -- 2.21.0.392.gf8f6787159e-goog
