-- Use http://vger.kernel.org/~acme/bpf/eBPF-lockdown-lpc-2020/?print-pdf#/ then control+P to print to pdf file -->
static __always_inline int
bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr)
{
int ret = security_locked_down(LOCKDOWN_BPF_READ);
if (unlikely(ret < 0))
goto fail;
ret = copy_from_kernel_nofault(dst, unsafe_ptr, size);
if (unlikely(ret < 0))
goto fail;
return ret;
fail: memset(dst, 0, size);
return ret;
}
avc: denied { integrity } for pid=3402 comm="fwupd"
lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
avc: denied { confidentiality } for pid=4628 comm="cp"
lockdown_reason="/proc/kcore access"
scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tclass=lockdown permissive=0
$ find . -name "*.c" | xargs grep security_locked_down | wc -l
59
$ find . -name "*.c" | xargs grep security_locked_down | head
./arch/x86/kernel/ioport.c: security_locked_down(LOCKDOWN_IOPORT)))
./arch/x86/kernel/ioport.c: security_locked_down(LOCKDOWN_IOPORT))
./arch/x86/kernel/msr.c: err = security_locked_down(LOCKDOWN_MSR);
./arch/x86/kernel/msr.c: err = security_locked_down(LOCKDOWN_MSR);
./arch/x86/mm/testmmiotrace.c: int ret = security_locked_down(LOCKDOWN_MMIOTRACE);
./arch/powerpc/xmon/xmon.c: lockdown = !!security_locked_down(LOCKDOWN_XMON_RW);
./arch/powerpc/xmon/xmon.c: xmon_is_ro = !!security_locked_down(LOCKDOWN_XMON_WR);
./fs/proc/kcore.c: int ret = security_locked_down(LOCKDOWN_KCORE);
./fs/debugfs/file.c: if (security_locked_down(LOCKDOWN_DEBUGFS))
./fs/debugfs/inode.c: int ret = security_locked_down(LOCKDOWN_DEBUGFS);
$
enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, LOCKDOWN_EFI_TEST, LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, LOCKDOWN_ACPI_TABLES, LOCKDOWN_PCMCIA_CIS, LOCKDOWN_TIOCSSERIAL, LOCKDOWN_MODULE_PARAMETERS, LOCKDOWN_MMIOTRACE, LOCKDOWN_DEBUGFS, LOCKDOWN_XMON_WR, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, LOCKDOWN_BPF_READ, LOCKDOWN_PERF, LOCKDOWN_TRACEFS, LOCKDOWN_XMON_RW, LOCKDOWN_CONFIDENTIALITY_MAX, };
$ ../build/v5.9-rc2+/scripts/sign-file Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>] scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>] $
static int module_sig_check(struct load_info *info, int flags)
{
int err = info->len ? mod_verify_sig(info->hdr, info) : -ENODATA;
switch (err) {
case 0: info->sig_ok = true; return 0;
case -ENODATA: reason = "Loading of unsigned module"; goto decide;
case -ENOPKG: reason = "Loading of module with unsupported crypto"; goto decide;
case -ENOKEY: reason = "Loading of module with unavailable key";
decide:
if (is_module_sig_enforced()) {
pr_notice("%s: %s is rejected\n", info->name, reason);
return -EKEYREJECTED;
}
return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);