[SRU Eoan 0/2] Allow BPF tracing under lockdown
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Tue Mar 24 09:59:01 UTC 2020
Note: when testing bpftrace snap, it misdetects that the system is under
confidentiality lockdown. I guess snapd does not allow some necessary access
for bpftrace to work. I used the bpftrace deb.
BugLink: https://bugs.launchpad.net/bugs/1868626
[Impact]
BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which
is going to be the default before release. Right now, Eoan does not allow
kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe
tracing.
[Test case]
sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid); }'
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename: [%s]; flags: [%d]\n", str(args->filename), args->flags); }'
The last one should show the filename and flags.
[Regression potential]
This would allow privileged users to possibly read some kernel data that was
not possible before. However, this is already possible on systems that are not
under lockdown, which are all non-secure boot systems by default. This also
matches the behavior of signed kernels of Bionic and Focal.
Thadeu Lima de Souza Cascardo (2):
Revert "UBUNTU: SAUCE: (efi-lockdown) Lock down kprobes"
Revert "bpf: Restrict bpf when kernel lockdown is in confidentiality
mode"
kernel/kprobes.c | 3 ---
kernel/trace/bpf_trace.c | 12 ------------
2 files changed, 15 deletions(-)
--
2.17.1
More information about the kernel-team
mailing list