-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn on kernel lockdown #295
Comments
in bpftrace they opted for a different lockdown detection strategy: |
The functionality has been merged into libbpfgo. I'm now waiting for @grantseltzer to bump libbpfgo version dependency from tracee so I can propose: // kernel lockdown check
lockdown, err := helpers.Lockdown()
if err != nil {
return err
}
if lockdown == helpers.CONFIDENTIALITY {
return fmt.Errorf("kernel lockdown is set to 'confidentiality', can't load eBPF programs.")
}
if debug {
fmt.Fprintf(os.Stdout, "OSInfo: Security Lockdown is '%v'\n", lockdown)
} to tracee. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kernel lockdown feature was added to the kenel since version 5.4:
https://www.zdnet.com/article/linux-to-get-kernel-lockdown-feature/
This is a new LSM, that effectively disables some BPF functionality as can be seet at:
https://lore.kernel.org/patchwork/patch/1055067/
More details:
https://lwn.net/Articles/791863/
iovisor/bcc#2565
Detecting lockdown can be done using /sys/kernel/security/lockdown sysfs entry (Starting from kernel 5.4)
Lockdown can be set to integrity or confidentiality.
Example output:
$ sudo cat /sys/kernel/security/lockdown
[none] integrity confidentiality
When secureboot (and lockdown) is enabled:
$ sudo cat /sys/kernel/security/lockdown
none [integrity] confidentiality
We should add a descriptive warning if kernel lockdown is enabled and set to confidentiality - in which case we should also exit as kprobes, debugfs, perf, and bpf_read will not work
The text was updated successfully, but these errors were encountered: