Public bug reported:
[Impact]
BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which
is going to be the default before release. Right now, Eoan does not allow
kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe tracing.
[Test case]
sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid); }'
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename:
[%s]; flags: [%d]\n", str(args->filename), args->flags); }'
The last one should show the filename and flags.
[Regression potential]
This would allow privileged users to possibly read some kernel data that was
not possible before. However, this is already possible on systems that are not
under lockdown, which are all non-secure boot systems by default. This also
matches the behavior of signed kernels of Bionic and Focal.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Seth Forshee (sforshee)
Status: Fix Committed
** Affects: linux (Ubuntu Eoan)
Importance: Critical
Assignee: Thadeu Lima de Souza Cascardo (cascardo)
Status: In Progress
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Eoan)
Assignee: (unassigned) => Thadeu Lima de Souza Cascardo (cascardo)
** Changed in: linux (Ubuntu Eoan)
Status: New => In Progress
** Changed in: linux (Ubuntu Eoan)
Importance: Undecided => Critical
** Changed in: linux (Ubuntu)
Status: New => Fix Committed
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Seth Forshee (sforshee)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1868626
Title:
Allow BPF tracing under lockdown
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Eoan:
In Progress
Bug description:
[Impact]
BPF tracing is allowed on Bionic and on Focal under integrity lockdown, which
is going to be the default before release. Right now, Eoan does not allow
kprobes and BPF reads under lockdown, preventing BPF tracing and kprobe tracing.
[Test case]
sudo bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping...\n", pid);
}'
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("filename:
[%s]; flags: [%d]\n", str(args->filename), args->flags); }'
The last one should show the filename and flags.
[Regression potential]
This would allow privileged users to possibly read some kernel data that was
not possible before. However, this is already possible on systems that are not
under lockdown, which are all non-secure boot systems by default. This also
matches the behavior of signed kernels of Bionic and Focal.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1868626/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
