| Message ID | 20190326182742.16950-20-matthewgarrett@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add support for kernel lockdown | expand |
On Tue, 26 Mar 2019 11:27:35 -0700 Matthew Garrett <matthewgarrett@google.com> wrote: > From: David Howells <dhowells@redhat.com> > > The testmmiotrace module shouldn't be permitted when the kernel is locked > down as it can be used to arbitrarily read and write MMIO space. This is > a runtime check rather than buildtime in order to allow configurations > where the same kernel may be run in both locked down or permissive modes > depending on local policy. > Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> I'm curious. Should there be a mode to lockdown the tracefs directory too? As that can expose addresses. -- Steve > Suggested-by: Thomas Gleixner <tglx@linutronix.de> > Signed-off-by: David Howells <dhowells@redhat.com > Signed-off-by: Matthew Garrett <mjg59@google.com> > cc: Thomas Gleixner <tglx@linutronix.de> > cc: Steven Rostedt <rostedt@goodmis.org> > cc: Ingo Molnar <mingo@kernel.org> > cc: "H. Peter Anvin" <hpa@zytor.com> > cc: x86@kernel.org > --- > arch/x86/mm/testmmiotrace.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c > index f6ae6830b341..9e8ad665f354 100644 > --- a/arch/x86/mm/testmmiotrace.c > +++ b/arch/x86/mm/testmmiotrace.c > @@ -115,6 +115,9 @@ static int __init init(void) > { > unsigned long size = (read_far) ? (8 << 20) : (16 << 10); > > + if (kernel_is_locked_down("MMIO trace testing", LOCKDOWN_INTEGRITY)) > + return -EPERM; > + > if (mmio_address == 0) { > pr_err("you have to use the module argument mmio_address.\n"); > pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
On Wed, Mar 27, 2019 at 8:57 AM Steven Rostedt <rostedt@goodmis.org> wrote: > > On Tue, 26 Mar 2019 11:27:35 -0700 > Matthew Garrett <matthewgarrett@google.com> wrote: > > > From: David Howells <dhowells@redhat.com> > > > > The testmmiotrace module shouldn't be permitted when the kernel is locked > > down as it can be used to arbitrarily read and write MMIO space. This is > > a runtime check rather than buildtime in order to allow configurations > > where the same kernel may be run in both locked down or permissive modes > > depending on local policy. > > > > Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> > > I'm curious. Should there be a mode to lockdown the tracefs directory > too? As that can expose addresses. That sounds like a reasonable thing to do in the confidentiality mode, I don't think it'd be necessary in the integrity mode.
diff --git a/arch/x86/mm/testmmiotrace.c b/arch/x86/mm/testmmiotrace.c index f6ae6830b341..9e8ad665f354 100644 --- a/arch/x86/mm/testmmiotrace.c +++ b/arch/x86/mm/testmmiotrace.c @@ -115,6 +115,9 @@ static int __init init(void) { unsigned long size = (read_far) ? (8 << 20) : (16 << 10); + if (kernel_is_locked_down("MMIO trace testing", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (mmio_address == 0) { pr_err("you have to use the module argument mmio_address.\n"); pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");