diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-28 15:39:51 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-28 15:39:51 -0500 |
commit | b5c40a84c0054fb8a26f568305e5408dc25e758e (patch) | |
tree | bd7be1120be5b88c21b70f1aea6ce920241eae6a /efi-lockdown.patch | |
parent | ff59239f88c3bce149f848b54684fca4862ba2e5 (diff) | |
download | kernel-b5c40a84c0054fb8a26f568305e5408dc25e758e.tar.gz kernel-b5c40a84c0054fb8a26f568305e5408dc25e758e.tar.xz kernel-b5c40a84c0054fb8a26f568305e5408dc25e758e.zip |
Remove bpf restriction for now, revisit (rhbz 1622986)
Diffstat (limited to 'efi-lockdown.patch')
-rw-r--r-- | efi-lockdown.patch | 39 |
1 files changed, 0 insertions, 39 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index 4e6ed15c2..4f84f4715 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1525,45 +1525,6 @@ index 102160ff5c66..4f5757732553 100644 -- 2.14.3 -From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the - kernel is locked down - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program. - -Completely prohibit the use of BPF when the kernel is locked down. - -Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: netdev@vger.kernel.org -cc: Chun-Yi Lee <jlee@suse.com> -cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> ---- - kernel/bpf/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 0244973ee544..7457f2676c6d 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz - if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); - if (err) - return err; --- -2.14.3 - From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Wed, 4 Apr 2018 14:45:38 +0100 |