linux lockdown

gistfile1.txt

# Lockdown:

## ubuntu 19.10

Uses old version of lockdown
- bpf syscall fully blocked

## fedora 31

Official lockdown

### Relevant patches

- aefcf2f4b5815: Merge commit of lockdown patches

- bf8e602186ec4: Tracefs blocked, tracing: Do not create tracefs files if tracefs lockdown is in effect
- 9d1f8be5cf42b: bpf: Restrict bpf when kernel lockdown is in confidentiality mode
- a94549dd87f5e: lockdown: Lock down tracing and perf kprobes when in confidentiality mode

### Less relevant

- b0c8fdc7fdb77: lockdown: Lock down perf when in confidentiality mode
- 5496197f9b084: debugfs: Restrict debugfs when the kernel is locked down

#### Lockdown reasons

(easy to grep to kernel source and see where they're used)

LOCKDOWN_TRACEFS,
LOCKDOWN_DEBUGFS,
LOCKDOWN_KPROBES,
LOCKDOWN_BPF_READ
LOCKDOWN_PERF,
LOCKDOWN_TRACEFS,

### Issues

- Cannot list kprobes as tracefs is blocked/disabled
  poor error message too: `No such file or directory: /sys/kernel/debug/tracing/available_filter_functions`

- probe_read, probe_read_str, probe_read_kernel and probe_read_kernel_str are blocked at runtime

```
Tracing bash commands... Hit Ctrl-C to end.
TIME      PID    COMMAND
22:43:29  10761
22:43:30  10761
```

- kprobes blocked
```
$ sudo bpftrace -e 'k:f { @ =1 }'
Attaching 1 probe...
create_probe_event: open(/sys/kernel/debug/tracing/kprobe_events): No such file or directory
Error attaching probe: 'kprobe:f'
```