ubuntu@eoan:~$ uname -r
5.3.0-46-generic
ubuntu@eoan:~$ grep -i lockdown /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.3.0-46-generic
root=PARTUUID=486ca49b-7073-4f42-84a9-c3724b219786 ro console=tty1
console=ttyS0 lockdown
ubuntu@eoan:~$ dmesg | grep -i lockdown
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.3.0-46-generic
root=PARTUUID=486ca49b-7073-4f42-84a9-c3724b219786 ro console=tty1
console=ttyS0 lockdown
[ 0.000000] Kernel is locked down from command line; see man
kernel_lockdown.7
[ 0.019403] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.3.0-46-generic
root=PARTUUID=486ca49b-7073-4f42-84a9-c3724b219786 ro console=tty1
console=ttyS0 lockdown
[ 1.389113] Lockdown: swapper/0: Hibernation is restricted; see man
kernel_lockdown.7
ubuntu@eoan:~$ sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat {
printf("filename: [%s]; flags: [%d]\n", str(args->filename), args->flags); }'
Attaching 1 probe...
filename: [/proc/interrupts]; flags: [0]
filename: [/proc/stat]; flags: [0]
^C
ubuntu@eoan:~$ sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d
sleeping\n", pid); }'
Attaching 1 probe...
PID 509 sleeping
PID 509 sleeping
^C
ubuntu@eoan:~$
** Tags removed: verification-needed-eoan
** Tags added: verification-done-eoan
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1868626
Title:
Allow BPF tracing under lockdown
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Eoan:
Fix Committed
Bug description:
[Impact]
BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which
is going to be the default before release. Right now, Eoan does not allow
kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe tracing.
[Test case]
sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid);
}'
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename:
[%s]; flags: [%d]\n", str(args->filename), args->flags); }'
The last one should show the filename and flags.
[Regression potential]
This would allow privileged users to possibly read some kernel data that was
not possible before. However, this is already possible on systems that are not
under lockdown, which are all non-secure boot systems by default. This also
matches the behavior of signed kernels of Bionic and Focal.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1868626/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
