APPLIED: [PATCH 0/2][SRU][E] Loosen Lockdown restrictions on bpf(2) (LP: #1863234)

Khaled Elmously khalid.elmously at canonical.com
Wed Mar 11 05:07:19 UTC 2020 

On 2020-02-20 00:03:49 , Tyler Hicks wrote:
> BugLink: https://bugs.launchpad.net/bugs/1863234
> 
> I tested these changes by locally signing a test kernel and its modules
> before following the Test Case described below.
> 
> [Impact]
> 
> The bpf(2) system call is completely blocked in Disco and Eoan when
> Secure Boot is enabled due to overly restrictive Lockdown policies. This
> makes it so that all bpf related tools are not usable on those releases.
> 
> [Test Case]
> 
> Set up test BPF programs:
> 
>  $ cat hello.bt
>  BEGIN { printf("hello\n"); exit(); }
>  $ cat kprobe.bt
>  kprobe:do_nanosleep { printf("task sleeping...\n"); exit(); }
>  $ cat open.bt
>  tracepoint:syscalls:sys_enter_openat {
>    printf("filename: [%s]; flags: [%d]\n",
>           str(args->filename), args->flags);
>  }
> 
> Disable Secure Boot:
> 
>  $ sudo mokutil --disable-validation
>  ...
>  $ sudo reboot
> 
> Ensure that hello.bt can run:
> 
>  $ sudo bpftrace hello.bt
>  Attaching 1 probe...
>  hello
> 
> Ensure that a BPF program triggered by a kprobe works (run `sleep 1` in
> another terminal):
> 
>  $ sudo bpftrace kprobe.bt
>  Attaching 1 probe...
>  task sleeping...
> 
> Ensure that a BPF program triggered by a tracepoint can access the
> filename and flags of openat(2):
> 
>  $ sudo bpftrace open.bt
>  Attaching 1 probe...
>  filename: [/proc/2317/cmdline]; flags: [0]
>  filename: [/dev/iio:device1]; flags: [2048]
>  ...
> 
> Enable Secure Boot
> 
>  $ sudo mokutil --enable-validation
>  ...
>  $ sudo reboot
> 
> Ensure that a basic BPF program can run:
> 
>  $ sudo bpftrace hello.bt
>  Attaching 1 probe...
>  hello
> 
> Ensure that a BPF program triggered by a kprobe is blocked (kprobes
> aren't allowed under Secure Boot):
> 
>  $ sudo bpftrace kprobe.bt
>  Attaching 1 probe...
>  cannot attach kprobe, Operation not permitted
>  Error attaching probe: 'kprobe:do_nanosleep'
> 
> You should see the following kernel message logged:
> 
>  Lockdown: bpftrace: Use of kprobes is restricted; see man kernel_lockdown.7
> 
> Ensure that a BPF program triggered by a tracepoint can NOT access the
> filename and flags of openat(2) (all filenames should be empty and all
> flags should be 0):
> 
>  $ sudo bpftrace open.bt
>  Attaching 1 probe...
>  filename: []; flags: [0]
>  filename: []; flags: [0]
>  ...
> 
> You should see the following kernel message logged:
> 
>  Lockdown: iio-sensor-prox: BPF is restricted; see man kernel_lockdown.7
> 
> [Regression Potential]
> 
> Low. This is opening up the use of bpf(2) while under Lockdown. There
> should be no new restrictions put in place.
> 
> Tyler
> 
> David Howells (1):
>   bpf: Restrict bpf when kernel lockdown is in confidentiality mode
> 
> Tyler Hicks (1):
>   Revert "UBUNTU: SAUCE: (efi-lockdown) bpf: Restrict kernel image
>     access functions when the kernel is locked down"
> 
>  kernel/bpf/syscall.c     |  3 ---
>  kernel/trace/bpf_trace.c | 12 ++++++++++++
>  2 files changed, 12 insertions(+), 3 deletions(-)
> 
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list