diff options
Diffstat (limited to 'debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch')
| -rw-r--r-- | debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch b/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch new file mode 100644 index 000000000..e7d9f0b4e --- /dev/null +++ b/debian/patches/features/all/lockdown/0026-Lock-down-kprobes.patch @@ -0,0 +1,29 @@ +From: David Howells <dhowells@redhat.com> +Date: Wed, 8 Nov 2017 16:14:12 +0000 +Subject: [26/29] Lock down kprobes +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=cfacbbe6ef95336d99817fb8063c19bd36dfaa3d + +Disallow the creation of kprobes when the kernel is locked down by +preventing their registration. This prevents kprobes from being used to +access kernel memory, either to make modifications or to steal crypto data. + +Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> +Signed-off-by: David Howells <dhowells@redhat.com> +--- + kernel/kprobes.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: linux/kernel/kprobes.c +=================================================================== +--- linux.orig/kernel/kprobes.c ++++ linux/kernel/kprobes.c +@@ -1548,6 +1548,9 @@ int register_kprobe(struct kprobe *p) + struct module *probed_mod; + kprobe_opcode_t *addr; + ++ if (kernel_is_locked_down("Use of kprobes")) ++ return -EPERM; ++ + /* Adjust probe address from symbol */ + addr = kprobe_addr(p); + if (IS_ERR(addr)) |