bpf: Restrict kernel image access functions when the kernel is locked down

There are some bpf functions can be used to read kernel memory:
bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
private keys in kernel memory (e.g. the hibernation image signing key) to
be read by an eBPF program and kernel memory to be altered without
restriction.

Completely prohibit the use of BPF when the kernel is locked down.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
[bwh: Adjust context to apply after commit dcab51f19b29
 "bpf: Expose check_uarg_tail_zero()"]

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 0f5d2e66cd6bbf6f75691dc616f6fc1935549c3e..45fea7886f2de9d19b9f37a91633537ba01805f2 100644 (file)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2287,6 +2287,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
        if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
                return -EPERM;
 
+       if (kernel_is_locked_down("BPF"))
+               return -EPERM;
+
        err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
        if (err)
                return err;