Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-13 Thread David Howells
Alexei Starovoitov wrote: > this will obviously break the program. Yeah. But if it allows one to twiddle the kernel image or gain access to crypto material... > How about disabling loading tracing programs during the lockdown completely? Interesting thought.

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-13 Thread David Howells
Alexei Starovoitov wrote: > this will obviously break the program. Yeah. But if it allows one to twiddle the kernel image or gain access to crypto material... > How about disabling loading tracing programs during the lockdown completely? Interesting thought. I'm not sure how much would

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-12 Thread joeyli
Hi David, First, thanks for your help to send out this series. On Wed, Apr 05, 2017 at 09:17:25PM +0100, David Howells wrote: > From: Chun-Yi Lee > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-12 Thread joeyli
Hi David, First, thanks for your help to send out this series. On Wed, Apr 05, 2017 at 09:17:25PM +0100, David Howells wrote: > From: Chun-Yi Lee > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow >

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-06 Thread Ard Biesheuvel
On 6 April 2017 at 13:29, Alexei Starovoitov wrote: > On Wed, Apr 05, 2017 at 09:17:25PM +0100, David Howells wrote: >> From: Chun-Yi Lee >> >> There are some bpf functions can be used to read kernel memory: >> bpf_probe_read, bpf_probe_write_user and

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-06 Thread Ard Biesheuvel
On 6 April 2017 at 13:29, Alexei Starovoitov wrote: > On Wed, Apr 05, 2017 at 09:17:25PM +0100, David Howells wrote: >> From: Chun-Yi Lee >> >> There are some bpf functions can be used to read kernel memory: >> bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow >> private

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-06 Thread Alexei Starovoitov
On Wed, Apr 05, 2017 at 09:17:25PM +0100, David Howells wrote: > From: Chun-Yi Lee > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > private keys in kernel memory (e.g. the hibernation

Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down

2017-04-06 Thread Alexei Starovoitov
On Wed, Apr 05, 2017 at 09:17:25PM +0100, David Howells wrote: > From: Chun-Yi Lee > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > private keys in kernel memory (e.g. the hibernation image signing