APPLIED: [SRU Eoan 0/2] Allow BPF tracing under lockdown
Kleber Souza
kleber.souza at canonical.com
Wed Mar 25 09:06:49 UTC 2020
On 2020-03-24 10:59, Thadeu Lima de Souza Cascardo wrote:
> Note: when testing bpftrace snap, it misdetects that the system is under
> confidentiality lockdown. I guess snapd does not allow some necessary access
> for bpftrace to work. I used the bpftrace deb.
>
> BugLink: https://bugs.launchpad.net/bugs/1868626
>
> [Impact]
> BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which
> is going to be the default before release. Right now, Eoan does not allow
> kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe
> tracing.
>
> [Test case]
>
> sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid); }'
>
> sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename: [%s]; flags: [%d]\n", str(args->filename), args->flags); }'
>
> The last one should show the filename and flags.
>
> [Regression potential]
> This would allow privileged users to possibly read some kernel data that was
> not possible before. However, this is already possible on systems that are not
> under lockdown, which are all non-secure boot systems by default. This also
> matches the behavior of signed kernels of Bionic and Focal.
>
> Thadeu Lima de Souza Cascardo (2):
> Revert "UBUNTU: SAUCE: (efi-lockdown) Lock down kprobes"
> Revert "bpf: Restrict bpf when kernel lockdown is in confidentiality
> mode"
>
> kernel/kprobes.c | 3 ---
> kernel/trace/bpf_trace.c | 12 ------------
> 2 files changed, 15 deletions(-)
>
Applied to eoan/linux.
Thanks,
Kleber
More information about the kernel-team
mailing list