There are some bpf functions can be used to read kernel memory: bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow private keys in kernel memory (e.g. the hibernation image signing key) to be read by an eBPF program and kernel memory to be altered without restriction.
Completely prohibit the use of BPF when the kernel is locked down. Suggested-by: Alexei Starovoitov <[email protected]> Signed-off-by: David Howells <[email protected]> cc: [email protected] cc: Chun-Yi Lee <[email protected]> cc: Alexei Starovoitov <[email protected]> --- kernel/bpf/syscall.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 25d074920a00..fa58ad74cde6 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1458,6 +1458,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled) return -EPERM; + if (kernel_is_locked_down("BPF")) + return -EPERM; + err = check_uarg_tail_zero(uattr, sizeof(attr), size); if (err) return err;
