From: David Howells <dhowells@redhat.com>
Date: Mon, 18 Feb 2019 12:45:02 +0000 (+0000)
Subject: Lock down kprobes
X-Git-Tag: archive/raspbian/5.2.17-1+rpi1^2^2~38
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6ee97734f0e52ce67ba513734622a1d305a4d059;p=linux.git

Lock down kprobes

Disallow the creation of kprobes when the kernel is locked down by
preventing their registration.  This prevents kprobes from being used to
access kernel memory, either to make modifications or to steal crypto data.

Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0024-Lock-down-kprobes.patch
---

diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 445337c107e..c7192c65bfb 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1556,6 +1556,9 @@ int register_kprobe(struct kprobe *p)
 	struct module *probed_mod;
 	kprobe_opcode_t *addr;
 
+	if (kernel_is_locked_down("Use of kprobes"))
+		return -EPERM;
+
 	/* Adjust probe address from symbol */
 	addr = kprobe_addr(p);
 	if (IS_ERR(addr))