[20/27] x86/mmiotrace: Lock down the testmmiotrace module

Message ID	20190325220954.29054-21-matthewgarrett@google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> Date: Mon, 25 Mar 2019 15:09:47 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-21-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> Subject: [PATCH 20/27] x86/mmiotrace: Lock down the testmmiotrace module From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Thomas Gleixner <tglx@linutronix.de>, Steven Rostedt <rostedt@goodmis.org>, Ingo Molnar <mingo@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org, Matthew Garrett <matthewgarrett@google.com> Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	[PULL,REQUEST] Lockdown patches for 5.2 \| expand [PULL,REQUEST] Lockdown patches for 5.2 [02/27] Enforce module signatures if the kernel is locked down [03/27] Restrict /dev/{mem,kmem,port} when the kernel is locked down [04/27] kexec_load: Disable at runtime if the kernel is locked down [05/27] Copy secure_boot flag in boot params across kexec reboot [06/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE [07/27] kexec_file: Restrict at runtime if the kernel is locked down [08/27] hibernate: Disable when the kernel is locked down [09/27] uswsusp: Disable when the kernel is locked down [10/27] PCI: Lock down BAR access when the kernel is locked down [11/27] x86: Lock down IO port access when the kernel is locked down [12/27] x86/msr: Restrict MSR access when the kernel is locked down [13/27] ACPI: Limit access to custom_method when the kernel is locked down [14/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down [15/27] acpi: Disable ACPI table override if the kernel is locked down [16/27] acpi: Disable APEI error injection if the kernel is locked down [17/27] Prohibit PCMCIA CIS storage when the kernel is locked down [18/27] Lock down TIOCSSERIAL [19/27] Lock down module params that specify hardware parameters (eg. ioport) [20/27] x86/mmiotrace: Lock down the testmmiotrace module [21/27] Lock down /proc/kcore [22/27] Lock down kprobes [23/27] bpf: Restrict kernel image access functions when the kernel is locked down [24/27] Lock down perf [25/27] debugfs: Restrict debugfs when the kernel is locked down [26/27] lockdown: Print current->comm in restriction messages [27/27] kexec: Allow kexec_file() with appropriate IMA policy when locked down

Message ID

20190325220954.29054-21-matthewgarrett@google.com (mailing list archive)

State

New, archived

Headers

Date: Mon, 25 Mar 2019 15:09:47 -0700
In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com>
Message-Id: <20190325220954.29054-21-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190325220954.29054-1-matthewgarrett@google.com>
Subject: [PATCH 20/27] x86/mmiotrace: Lock down the testmmiotrace module
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        Thomas Gleixner <tglx@linutronix.de>,
        Steven Rostedt <rostedt@goodmis.org>,
        Ingo Molnar <mingo@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        Matthew Garrett <matthewgarrett@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

[PULL,REQUEST] Lockdown patches for 5.2 | expand

Commit Message

Matthew Garrett March 25, 2019, 10:09 p.m. UTC

From: David Howells <dhowells@redhat.com>

The testmmiotrace module shouldn't be permitted when the kernel is locked
down as it can be used to arbitrarily read and write MMIO space.

Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: David Howells <dhowells@redhat.com
cc: Thomas Gleixner <tglx@linutronix.de>
cc: Steven Rostedt <rostedt@goodmis.org>
cc: Ingo Molnar <mingo@kernel.org>
cc: "H. Peter Anvin" <hpa@zytor.com>
cc: x86@kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/mm/testmmiotrace.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Steven Rostedt March 25, 2019, 11:35 p.m. UTC | #1

On Mon, 25 Mar 2019 15:09:47 -0700
Matthew Garrett <matthewgarrett@google.com> wrote:

> From: David Howells <dhowells@redhat.com>
> 
> The testmmiotrace module shouldn't be permitted when the kernel is locked
> down as it can be used to arbitrarily read and write MMIO space.
> 
> Suggested-by: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: David Howells <dhowells@redhat.com
> cc: Thomas Gleixner <tglx@linutronix.de>
> cc: Steven Rostedt <rostedt@goodmis.org>
> cc: Ingo Molnar <mingo@kernel.org>
> cc: "H. Peter Anvin" <hpa@zytor.com>
> cc: x86@kernel.org
> Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
> ---
>  arch/x86/mm/testmmiotrace.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
> index f6ae6830b341..bbaad357f5d7 100644
> --- a/arch/x86/mm/testmmiotrace.c
> +++ b/arch/x86/mm/testmmiotrace.c
> @@ -115,6 +115,9 @@ static int __init init(void)
>  {
>  	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
>  
> +	if (kernel_is_locked_down("MMIO trace testing"))
> +		return -EPERM;

I wonder if we should take this one step further. As this module is
really just for testing the mmiotracer (and really shouldn't be enabled
by anyone that doesn't know what it's for), why not just add to the Kconfig file

CONFIG_MMIOTRACE_TEST depend on !CONFIG_LOCK_DOWN_KERNEL ?

-- Steve

> +
>  	if (mmio_address == 0) {
>  		pr_err("you have to use the module argument
> mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY
> KNOW WHAT YOU ARE DOING!\n");

diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c
index f6ae6830b341..bbaad357f5d7 100644
--- a/arch/x86/mm/testmmiotrace.c
+++ b/arch/x86/mm/testmmiotrace.c
@@ -115,6 +115,9 @@  static int __init init(void)
 {
 	unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
 
+	if (kernel_is_locked_down("MMIO trace testing"))
+		return -EPERM;
+
 	if (mmio_address == 0) {
 		pr_err("you have to use the module argument mmio_address.\n");
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");

[20/27] x86/mmiotrace: Lock down the testmmiotrace module

Commit Message

Comments

Patch