[SRU Eoan 0/2] Allow BPF tracing under lockdown

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Tue Mar 24 09:59:01 UTC 2020

Note: when testing bpftrace snap, it misdetects that the system is under
confidentiality lockdown. I guess snapd does not allow some necessary access
for bpftrace to work. I used the bpftrace deb.

BugLink: https://bugs.launchpad.net/bugs/1868626

BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which
is going to be the default before release. Right now, Eoan does not allow
kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe

[Test case]

sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid); }'

sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename: [%s]; flags: [%d]\n", str(args->filename), args->flags); }'

The last one should show the filename and flags.

[Regression potential]
This would allow privileged users to possibly read some kernel data that was
not possible before. However, this is already possible on systems that are not
under lockdown, which are all non-secure boot systems by default. This also
matches the behavior of signed kernels of Bionic and Focal.

Thadeu Lima de Souza Cascardo (2):
  Revert "UBUNTU: SAUCE: (efi-lockdown) Lock down kprobes"
  Revert "bpf: Restrict bpf when kernel lockdown is in confidentiality

 kernel/kprobes.c         |  3 ---
 kernel/trace/bpf_trace.c | 12 ------------
 2 files changed, 15 deletions(-)


More information about the kernel-team mailing list