From patchwork Wed Mar 6 23:58:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10842065 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE6D0139A for ; Thu, 7 Mar 2019 00:01:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CBE932E9F5 for ; Thu, 7 Mar 2019 00:01:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C037E2E9FC; Thu, 7 Mar 2019 00:01:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 716BD2ECFA for ; Thu, 7 Mar 2019 00:01:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726329AbfCFX7d (ORCPT ); Wed, 6 Mar 2019 18:59:33 -0500 Received: from mail-ua1-f73.google.com ([209.85.222.73]:39536 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726250AbfCFX7b (ORCPT ); Wed, 6 Mar 2019 18:59:31 -0500 Received: by mail-ua1-f73.google.com with SMTP id l26so1962861uar.6 for ; Wed, 06 Mar 2019 15:59:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=kn7ZudvBI/03PKgGXw1nMgRojbgZaoMdjyO+S6moRI0=; b=f2Vz+bmb72rU8TXAbQUVHV/BS0XxQR8BaDpblMSQJPvqTAWAo8FH6rjvvkmty1lXVN SzbdDgeM7GDCN25rpO5I6dfPl172rEj48Xad3Rn1rWnePrIISwkcDNMZIJmSIebAXse+ XsVqdOdk6J8igYLtIHxW3P/+wEq3nZluCfBLzTbUCUGfEXzDRA1DVrey/hGgFxWjydo3 Br/WOcIb/h3fwOLZ2puu0+j4YYS73MJj2SVkJvV2a2cVei0ql1giXtp6b0EqMo9Pcxzl jYU7HM0VYldodlzN4As8zcXSrmqAaZohjTwKA7+CtISN8JHqDUXoLL6uQwYuEijyqLYM 4KPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=kn7ZudvBI/03PKgGXw1nMgRojbgZaoMdjyO+S6moRI0=; b=aM+di826hpU2BaLmEbWLN7rgdpGIptT2JaMrbgJmdyqW6GdDz5CgLHD1uCkwSsyupc xUBeIJYX5dGfNLSH1roRMIpZZ2EDEtnp97OJvYvQ2CK2sfMg1ayEkb1hju+mWP51aChu wvjliEceausXZCgv7AdLf4v0GUkvwayFi6uzZIOAsmihjzY8BrEyWz4LxjtqWcvko21P KBpo88Rw0osUS0yk7QefwfZKDTdMP1vmkyzhT5cELQFN0vA+wsjncn12NYRMKT/9SEkk x6iz75I/pWjpqbUfZn5Kiroyzo3ZoQERAPugmpkyXvCnSPW0qVgptenEtl9lyncBY84P U0cw== X-Gm-Message-State: APjAAAUymPpXc1vGWV2V8fELylKus1eXlsbngidppJwRXTW61ftmWOY3 M6YUcZ94ZDmEfF8+BduhUn0QKXY0zNsCtJzChUOL8A== X-Google-Smtp-Source: APXvYqwyBc76ufuJgNf8QJakf/yJtUfkEIU7N/GIlS1vx/hEpjh3/Zv/RjQsP/AVVZEJ5HM0N9SUhN/riL25JNLsYMv5wA== X-Received: by 2002:ab0:641a:: with SMTP id x26mr6875819uao.12.1551916770265; Wed, 06 Mar 2019 15:59:30 -0800 (PST) Date: Wed, 6 Mar 2019 15:58:50 -0800 In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com> Message-Id: <20190306235913.6631-5-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190306235913.6631-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 04/27] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" Signed-off-by: Matthew Garrett --- drivers/char/mem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..0a2f2e75d5f4 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; }