diff options
| author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-28 15:40:43 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-28 15:40:43 -0500 |
| commit | 8f77a5bad2980eaeae8d4e0b64efd7144e2dddb9 (patch) | |
| tree | e23c6f8db0c0d3c6f1a8d05273df9a4b225d541d /efi-lockdown.patch | |
| parent | f1b44b9bcfc992a71d6e109f030352999ce5beb2 (diff) | |
| download | kernel-8f77a5bad2980eaeae8d4e0b64efd7144e2dddb9.tar.gz kernel-8f77a5bad2980eaeae8d4e0b64efd7144e2dddb9.tar.xz kernel-8f77a5bad2980eaeae8d4e0b64efd7144e2dddb9.zip | |
Remove bpf restriction for now, revisit (rhbz 1622986)
Diffstat (limited to 'efi-lockdown.patch')
| -rw-r--r-- | efi-lockdown.patch | 39 |
1 files changed, 0 insertions, 39 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index 09b89db58..f11505b9e 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -1522,45 +1522,6 @@ index 102160ff5c66..4f5757732553 100644 -- 2.14.3 -From 6b5a9eaaa9d57de43e5d2fddb0087cc2d9450abc Mon Sep 17 00:00:00 2001 -From: David Howells <dhowells@redhat.com> -Date: Wed, 4 Apr 2018 14:45:38 +0100 -Subject: [PATCH 22/24] bpf: Restrict kernel image access functions when the - kernel is locked down - -There are some bpf functions can be used to read kernel memory: -bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow -private keys in kernel memory (e.g. the hibernation image signing key) to -be read by an eBPF program. - -Completely prohibit the use of BPF when the kernel is locked down. - -Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> -Signed-off-by: David Howells <dhowells@redhat.com> -cc: netdev@vger.kernel.org -cc: Chun-Yi Lee <jlee@suse.com> -cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> ---- - kernel/bpf/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 0244973ee544..7457f2676c6d 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -2333,6 +2333,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz - if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) - return -EPERM; - -+ if (kernel_is_locked_down("BPF")) -+ return -EPERM; -+ - err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); - if (err) - return err; --- -2.14.3 - From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Wed, 4 Apr 2018 14:45:38 +0100 |