review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	David Howells <dhowells@redhat.com>
	Tue, 20 Aug 2019 00:17:59 +0000 (17:17 -0700)
committer	James Morris <jmorris@namei.org>
	Tue, 20 Aug 2019 04:54:16 +0000 (21:54 -0700)
commit	9d1f8be5cf42b497a3bddf1d523f2bb142e9318c
tree	fc926ba08f6b2b69c2b9341de2a16d2870b25bda	tree \| snapshot
parent	a94549dd87f5ea4ca50fee493df08a2dc6256b53	commit \| diff

bpf: Restrict bpf when kernel lockdown is in confidentiality mode

bpf_read() and bpf_read_str() could potentially be abused to (eg) allow
private keys in kernel memory to be leaked. Disable them if the kernel
has been locked down in confidentiality mode.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: James Morris <jmorris@namei.org>

include/linux/security.h		diff \| blob \| history
kernel/trace/bpf_trace.c		diff \| blob \| history
security/lockdown/lockdown.c		diff \| blob \| history