ACK: [SRU Eoan 0/2] Allow BPF tracing under lockdown

Colin Ian King colin.king at canonical.com
Tue Mar 24 10:10:20 UTC 2020


On 24/03/2020 09:59, Thadeu Lima de Souza Cascardo wrote:
> Note: when testing bpftrace snap, it misdetects that the system is under
> confidentiality lockdown. I guess snapd does not allow some necessary access
> for bpftrace to work. I used the bpftrace deb.
> 
> BugLink: https://bugs.launchpad.net/bugs/1868626
> 
> [Impact]
> BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which
> is going to be the default before release. Right now, Eoan does not allow
> kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe
> tracing.
> 
> [Test case]
> 
> sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid); }'
> 
> sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename: [%s]; flags: [%d]\n", str(args->filename), args->flags); }'
> 
> The last one should show the filename and flags.
> 
> [Regression potential]
> This would allow privileged users to possibly read some kernel data that was
> not possible before. However, this is already possible on systems that are not
> under lockdown, which are all non-secure boot systems by default. This also
> matches the behavior of signed kernels of Bionic and Focal.
> 
> Thadeu Lima de Souza Cascardo (2):
>   Revert "UBUNTU: SAUCE: (efi-lockdown) Lock down kprobes"
>   Revert "bpf: Restrict bpf when kernel lockdown is in confidentiality
>     mode"
> 
>  kernel/kprobes.c         |  3 ---
>  kernel/trace/bpf_trace.c | 12 ------------
>  2 files changed, 15 deletions(-)
> 

Thanks Thadeu. Looks fine to me.

Acked-by: Colin Ian King <colin.king at canonical.com>



More information about the kernel-team mailing list