bpf: Restrict bpf when kernel lockdown is in confidentiality mode (9d1f8be5) · Commits · Mirrors / github.com / raspberrypi_linux

Commit 9d1f8be5 authored Aug 19, 2019 by

David Howells Committed by James Morris Aug 19, 2019

bpf: Restrict bpf when kernel lockdown is in confidentiality mode



bpf_read() and bpf_read_str() could potentially be abused to (eg) allow
private keys in kernel memory to be leaked. Disable them if the kernel
has been locked down in confidentiality mode.

Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: James Morris <jmorris@namei.org>

parent a94549dd

Hide whitespace changes

Inline Side-by-side

Please register or to comment