On Tue, Oct 20, 2020 at 04:59:59PM -0400, Konrad Rzeszutek Wilk wrote: > bpf_read() and bpf_read_str() could potentially be abused to (eg) allow > private keys in kernel memory to be leaked. Disable them if the kernel > has been locked down in confidentiality mode. > > Suggested-by: Alexei Starovoitov <[email protected]> > Signed-off-by: Matthew Garrett <[email protected]> > Reviewed-by: Kees Cook <[email protected]> > cc: [email protected] > cc: Chun-Yi Lee <[email protected]> > cc: Alexei Starovoitov <[email protected]> > Cc: Daniel Borkmann <[email protected]> > Signed-off-by: James Morris <[email protected]> > > [Backport notes: > The upstream version is using enums, and all that fancy code. > We are just retroffiting UEK5 a bit and just checking to > see if integrity mode has been enabled and if so then > allow it. If the default lockdown mode (confidentiality) is on > then we don't allow it.]
<sigh> And that is what I get for _not_ doing --suppress-cc=all My apologies for spamming you all! <goes to hide in the corner of shame>
