diff options
author | David Howells <dhowells@redhat.com> | 2019-08-20 03:17:59 +0300 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2019-08-20 07:54:16 +0300 |
commit | 9d1f8be5cf42b497a3bddf1d523f2bb142e9318c (patch) | |
tree | fc926ba08f6b2b69c2b9341de2a16d2870b25bda /include/linux/security.h | |
parent | a94549dd87f5ea4ca50fee493df08a2dc6256b53 (diff) | |
download | linux-9d1f8be5cf42b497a3bddf1d523f2bb142e9318c.tar.xz |
bpf: Restrict bpf when kernel lockdown is in confidentiality mode
bpf_read() and bpf_read_str() could potentially be abused to (eg) allow
private keys in kernel memory to be leaked. Disable them if the kernel
has been locked down in confidentiality mode.
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
cc: netdev@vger.kernel.org
cc: Chun-Yi Lee <jlee@suse.com>
cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include/linux/security.h')
-rw-r--r-- | include/linux/security.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 0b2529dbf0f4..e604f4c67f03 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -118,6 +118,7 @@ enum lockdown_reason { LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, + LOCKDOWN_BPF_READ, LOCKDOWN_CONFIDENTIALITY_MAX, }; |