[PATCH 0/2][SRU][D] Loosen Lockdown restrictions on bpf(2) (LP: #1863234)

Tyler Hicks tyhicks at canonical.com
Thu Feb 20 00:04:24 UTC 2020


BugLink: https://bugs.launchpad.net/bugs/1863234

I tested these changes by locally signing a test kernel and its modules
before following the Test Case described below.

[Impact]

The bpf(2) system call is completely blocked in Disco and Eoan when
Secure Boot is enabled due to overly restrictive Lockdown policies. This
makes it so that all bpf related tools are not usable on those releases.

[Test Case]

Set up test BPF programs:

 $ cat hello.bt
 BEGIN { printf("hello\n"); exit(); }
 $ cat kprobe.bt
 kprobe:do_nanosleep { printf("task sleeping...\n"); exit(); }
 $ cat open.bt
 tracepoint:syscalls:sys_enter_openat {
   printf("filename: [%s]; flags: [%d]\n",
          str(args->filename), args->flags);
 }

Disable Secure Boot:

 $ sudo mokutil --disable-validation
 ...
 $ sudo reboot

Ensure that hello.bt can run:

 $ sudo bpftrace hello.bt
 Attaching 1 probe...
 hello

Ensure that a BPF program triggered by a kprobe works (run `sleep 1` in
another terminal):

 $ sudo bpftrace kprobe.bt
 Attaching 1 probe...
 task sleeping...

Ensure that a BPF program triggered by a tracepoint can access the
filename and flags of openat(2):

 $ sudo bpftrace open.bt
 Attaching 1 probe...
 filename: [/proc/2317/cmdline]; flags: [0]
 filename: [/dev/iio:device1]; flags: [2048]
 ...

Enable Secure Boot

 $ sudo mokutil --enable-validation
 ...
 $ sudo reboot

Ensure that a basic BPF program can run:

 $ sudo bpftrace hello.bt
 Attaching 1 probe...
 hello

Ensure that a BPF program triggered by a kprobe is blocked (kprobes
aren't allowed under Secure Boot):

 $ sudo bpftrace kprobe.bt
 Attaching 1 probe...
 cannot attach kprobe, Operation not permitted
 Error attaching probe: 'kprobe:do_nanosleep'

You should see the following kernel message logged:

 Lockdown: bpftrace: Use of kprobes is restricted; see man kernel_lockdown.7

Ensure that a BPF program triggered by a tracepoint can NOT access the
filename and flags of openat(2) (all filenames should be empty and all
flags should be 0):

 $ sudo bpftrace open.bt
 Attaching 1 probe...
 filename: []; flags: [0]
 filename: []; flags: [0]
 ...

You should see the following kernel message logged:

 Lockdown: iio-sensor-prox: BPF is restricted; see man kernel_lockdown.7

[Regression Potential]

Low. This is opening up the use of bpf(2) while under Lockdown. There
should be no new restrictions put in place.

Tyler

David Howells (1):
  bpf: Restrict bpf when kernel lockdown is in confidentiality mode

Tyler Hicks (1):
  Revert "UBUNTU: SAUCE: (efi-lockdown) bpf: Restrict kernel image
    access functions when the kernel is locked down"

 kernel/bpf/syscall.c     |  3 ---
 kernel/trace/bpf_trace.c | 12 ++++++++++++
 2 files changed, 12 insertions(+), 3 deletions(-)

-- 
2.17.1




More information about the kernel-team mailing list