summaryrefslogtreecommitdiffstats
path: root/efi-lockdown.patch
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2018-08-28 15:39:51 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2018-08-28 15:39:51 -0500
commitb5c40a84c0054fb8a26f568305e5408dc25e758e (patch)
treebd7be1120be5b88c21b70f1aea6ce920241eae6a /efi-lockdown.patch
parentff59239f88c3bce149f848b54684fca4862ba2e5 (diff)
downloadkernel-b5c40a84c0054fb8a26f568305e5408dc25e758e.tar.gz
kernel-b5c40a84c0054fb8a26f568305e5408dc25e758e.tar.xz
kernel-b5c40a84c0054fb8a26f568305e5408dc25e758e.zip
Remove bpf restriction for now, revisit (rhbz 1622986)
Diffstat (limited to 'efi-lockdown.patch')
-rw-r--r--efi-lockdown.patch39
1 files changed, 0 insertions, 39 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index 4e6ed15c2..4f84f4715 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -1525,45 +1525,6 @@ index 102160ff5c66..4f5757732553 100644
--
2.14.3
-From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Wed, 4 Apr 2018 14:45:38 +0100
-Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the
- kernel is locked down
-
-There are some bpf functions can be used to read kernel memory:
-bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow
-private keys in kernel memory (e.g. the hibernation image signing key) to
-be read by an eBPF program.
-
-Completely prohibit the use of BPF when the kernel is locked down.
-
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-cc: netdev@vger.kernel.org
-cc: Chun-Yi Lee <jlee@suse.com>
-cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
----
- kernel/bpf/syscall.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
-index 0244973ee544..7457f2676c6d 100644
---- a/kernel/bpf/syscall.c
-+++ b/kernel/bpf/syscall.c
-@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
- if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
- return -EPERM;
-
-+ if (kernel_is_locked_down("BPF"))
-+ return -EPERM;
-+
- err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
- if (err)
- return err;
---
-2.14.3
-
From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 4 Apr 2018 14:45:38 +0100