Public bug reported: [Impact] BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which is going to be the default before release. Right now, Eoan does not allow kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe tracing.
[Test case] sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid); }' sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename: [%s]; flags: [%d]\n", str(args->filename), args->flags); }' The last one should show the filename and flags. [Regression potential] This would allow privileged users to possibly read some kernel data that was not possible before. However, this is already possible on systems that are not under lockdown, which are all non-secure boot systems by default. This also matches the behavior of signed kernels of Bionic and Focal. ** Affects: linux (Ubuntu) Importance: Undecided Assignee: Seth Forshee (sforshee) Status: Fix Committed ** Affects: linux (Ubuntu Eoan) Importance: Critical Assignee: Thadeu Lima de Souza Cascardo (cascardo) Status: In Progress ** Also affects: linux (Ubuntu Eoan) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Eoan) Assignee: (unassigned) => Thadeu Lima de Souza Cascardo (cascardo) ** Changed in: linux (Ubuntu Eoan) Status: New => In Progress ** Changed in: linux (Ubuntu Eoan) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Status: New => Fix Committed ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Seth Forshee (sforshee) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1868626 Title: Allow BPF tracing under lockdown Status in linux package in Ubuntu: Fix Committed Status in linux source package in Eoan: In Progress Bug description: [Impact] BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which is going to be the default before release. Right now, Eoan does not allow kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe tracing. [Test case] sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid); }' sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename: [%s]; flags: [%d]\n", str(args->filename), args->flags); }' The last one should show the filename and flags. [Regression potential] This would allow privileged users to possibly read some kernel data that was not possible before. However, this is already possible on systems that are not under lockdown, which are all non-secure boot systems by default. This also matches the behavior of signed kernels of Bionic and Focal. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1868626/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp