Warn on kernel lockdown #295
Comments
|
in bpftrace they opted for a different lockdown detection strategy: |
|
The functionality has been merged into libbpfgo. I'm now waiting for @grantseltzer to bump libbpfgo version dependency from tracee so I can propose: // kernel lockdown check
lockdown, err := helpers.Lockdown()
if err != nil {
return err
}
if lockdown == helpers.CONFIDENTIALITY {
return fmt.Errorf("kernel lockdown is set to 'confidentiality', can't load eBPF programs.")
}
if debug {
fmt.Fprintf(os.Stdout, "OSInfo: Security Lockdown is '%v'\n", lockdown)
}to tracee. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kernel lockdown feature was added to the kenel since version 5.4:
https://www.zdnet.com/article/linux-to-get-kernel-lockdown-feature/
This is a new LSM, that effectively disables some BPF functionality as can be seet at:
https://lore.kernel.org/patchwork/patch/1055067/
More details:
https://lwn.net/Articles/791863/
iovisor/bcc#2565
Detecting lockdown can be done using /sys/kernel/security/lockdown sysfs entry (Starting from kernel 5.4)
Lockdown can be set to integrity or confidentiality.
Example output:
$ sudo cat /sys/kernel/security/lockdown
[none] integrity confidentiality
When secureboot (and lockdown) is enabled:
$ sudo cat /sys/kernel/security/lockdown
none [integrity] confidentiality
We should add a descriptive warning if kernel lockdown is enabled and set to confidentiality - in which case we should also exit as kprobes, debugfs, perf, and bpf_read will not work
The text was updated successfully, but these errors were encountered: