[SRU Eoan 2/2] Revert "bpf: Restrict bpf when kernel lockdown is in confidentiality mode"

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Tue Mar 24 09:59:03 UTC 2020


BugLink: https://bugs.launchpad.net/bugs/1868626

This reverts commit 311f07f8e2dbccc7dac8450548987996222675a5.

Upstream lockdown support locks down bpf reads only above the integrity
level. As we are moving to an integrity level on secure boot on Focal,
and there is no BPF lockdown on Bionic too, this makes Eoan behave like
those two releases.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 kernel/trace/bpf_trace.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 95f0c4503ed1..9805312f66a7 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -142,14 +142,8 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
 {
 	int ret;
 
-	if (kernel_is_locked_down("BPF")) {
-		ret = -EPERM;
-		goto out;
-	}
-
 	ret = probe_kernel_read(dst, unsafe_ptr, size);
 	if (unlikely(ret < 0))
-out:
 		memset(dst, 0, size);
 
 	return ret;
@@ -589,11 +583,6 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size,
 {
 	int ret;
 
-	if (kernel_is_locked_down("BPF")) {
-		ret = -EPERM;
-		goto out;
-	}
-
 	/*
 	 * The strncpy_from_unsafe() call will likely not fill the entire
 	 * buffer, but that's okay in this circumstance as we're probing
@@ -605,7 +594,6 @@ BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size,
 	 */
 	ret = strncpy_from_unsafe(dst, unsafe_ptr, size);
 	if (unlikely(ret < 0))
-out:
 		memset(dst, 0, size);
 
 	return ret;
-- 
2.17.1




More information about the kernel-team mailing list