From patchwork Tue Mar 24 09:59:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1260544 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48mmtY4jDQz9sSM; Tue, 24 Mar 2020 20:59:17 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jGgL4-0005BG-8K; Tue, 24 Mar 2020 09:59:14 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jGgL0-000592-R6 for kernel-team@lists.ubuntu.com; Tue, 24 Mar 2020 09:59:11 +0000 Received: from 201-43-83-214.dsl.telesp.net.br ([201.43.83.214] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jGgL0-0006rZ-3G for kernel-team@lists.ubuntu.com; Tue, 24 Mar 2020 09:59:10 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Eoan 2/2] Revert "bpf: Restrict bpf when kernel lockdown is in confidentiality mode" Date: Tue, 24 Mar 2020 06:59:03 -0300 Message-Id: <20200324095903.5406-3-cascardo@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200324095903.5406-1-cascardo@canonical.com> References: <20200324095903.5406-1-cascardo@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1868626 This reverts commit 311f07f8e2dbccc7dac8450548987996222675a5. Upstream lockdown support locks down bpf reads only above the integrity level. As we are moving to an integrity level on secure boot on Focal, and there is no BPF lockdown on Bionic too, this makes Eoan behave like those two releases. Signed-off-by: Thadeu Lima de Souza Cascardo --- kernel/trace/bpf_trace.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 95f0c4503ed1..9805312f66a7 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -142,14 +142,8 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) { int ret; - if (kernel_is_locked_down("BPF")) { - ret = -EPERM; - goto out; - } - ret = probe_kernel_read(dst, unsafe_ptr, size); if (unlikely(ret < 0)) -out: memset(dst, 0, size); return ret; @@ -589,11 +583,6 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, { int ret; - if (kernel_is_locked_down("BPF")) { - ret = -EPERM; - goto out; - } - /* * The strncpy_from_unsafe() call will likely not fill the entire * buffer, but that's okay in this circumstance as we're probing @@ -605,7 +594,6 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size, */ ret = strncpy_from_unsafe(dst, unsafe_ptr, size); if (unlikely(ret < 0)) -out: memset(dst, 0, size); return ret;