From patchwork Wed Jul 31 22:15:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 11069705 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0A8981395 for ; Wed, 31 Jul 2019 22:19:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF50D27F17 for ; Wed, 31 Jul 2019 22:19:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E2A5927F81; Wed, 31 Jul 2019 22:19:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8171D27F17 for ; Wed, 31 Jul 2019 22:19:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731187AbfGaWQl (ORCPT ); Wed, 31 Jul 2019 18:16:41 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:55029 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731169AbfGaWQk (ORCPT ); Wed, 31 Jul 2019 18:16:40 -0400 Received: by mail-pf1-f201.google.com with SMTP id y66so44179473pfb.21 for ; Wed, 31 Jul 2019 15:16:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=BtsXIa2eTEgrtDB3YoZh0Vr0MqF3zG2HREwRJPT9j0PLXfgg2j3hG32IB5dfHPMy/2 rm0uDDUk38QtwLylkx1PGSeLlU64Nva0fuH1JwNUQQUtkhm7QfgTLm2TKTf/7+OlZbSE fMXuJiJQwb9yTj6TCX6++29P/Sr4XGuR2UAS6+U8dUUzVj4VaEGg/YflN76TaB4J/tiX 9P2rzS75rZnOJtKNVpeLvatDRMWkjQSQe5lvohC6vizpCaIU2VSR6OYNm/FVr5BdlKXj 3mBodw3Mi95WtWxKxlSO4spjGTI5UzD68Uck0JfqLAxfMZdWLWt5aR3iMBTcoph2ExUE Px0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=QAvUT/fF9WbKES2LtUrfUguQZzbFwmuq7qyDmpexXlQXrUVjdW9fzf5IcNqwW7vP8D lt6gj3PDw4nJazMXe2bGPtf/E+0th00pXHJ9DggHeV53N5e9DNvNV797Fdczbk0aXMLi 3tpYIFdYkjqArawINtWEc1H9tdT3gqFyewSNnaT8w0TdBKNii03XVzWupoQt6GCtvxYi FHzO29fUQNKGvewU9hBcx4+3Rhhoa1WTINr1jxylB/eHR1432g6Gl0suCGmHaQ5+0fMi Xwr8Iw5o7zUwfifP4hpy04s/ItaFuAjYLdEGKbAwzbG9qfeEtw09LyAUl6Ua1ScBPOy5 IFjQ== X-Gm-Message-State: APjAAAWAjXiGdVUUrfwg4O+K9YF/6G+hcdkgi1wEuli//MzdkAv/Xer+ WKfzNosKkCATgbdwl5Z1zo4Xnx9nlSPaGNtdrWSdIw== X-Google-Smtp-Source: APXvYqym1pasXsOwhBqWzoGZgVhOVBlOvMeVYgs8AnlFQw7KxjvustScOG1wWEkF3l3iPObYZMa3I6zo5k9FCZj91H7lgg== X-Received: by 2002:a65:44cb:: with SMTP id g11mr69696974pgs.288.1564611398925; Wed, 31 Jul 2019 15:16:38 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:53 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 8e70063074a1..9458152601b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2c53fd9f5c9b..d2ef29d9f0b2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", };