From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754085Ab3IEDwp (ORCPT ); Wed, 4 Sep 2013 23:52:45 -0400 Received: from terminus.zytor.com ([198.137.202.10]:35028 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753781Ab3IEDwn (ORCPT ); Wed, 4 Sep 2013 23:52:43 -0400 Message-ID: <5227FFE8.5050102@zytor.com> Date: Wed, 04 Sep 2013 20:52:08 -0700 From: "H. Peter Anvin" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: Matthew Garrett CC: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, keescook@chromium.org Subject: Re: [PATCH V3 03/11] x86: Lock down IO port access when module security is enabled References: <1378252218-18798-1-git-send-email-matthew.garrett@nebula.com> <1378252218-18798-4-git-send-email-matthew.garrett@nebula.com> In-Reply-To: <1378252218-18798-4-git-send-email-matthew.garrett@nebula.com> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/03/2013 04:50 PM, Matthew Garrett wrote: > IO port access would permit users to gain access to PCI configuration > registers, which in turn (on a lot of hardware) give access to MMIO register > space. This would potentially permit root to trigger arbitrary DMA, so lock > it down by default. > > Signed-off-by: Matthew Garrett Seriously... just deny CAP_SYS_RAWIO to any system in secure mode. -hpa From mboxrd@z Thu Jan 1 00:00:00 1970 From: "H. Peter Anvin" Subject: Re: [PATCH V3 03/11] x86: Lock down IO port access when module security is enabled Date: Wed, 04 Sep 2013 20:52:08 -0700 Message-ID: <5227FFE8.5050102@zytor.com> References: <1378252218-18798-1-git-send-email-matthew.garrett@nebula.com> <1378252218-18798-4-git-send-email-matthew.garrett@nebula.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1378252218-18798-4-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org> Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Matthew Garrett Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org List-Id: linux-efi@vger.kernel.org On 09/03/2013 04:50 PM, Matthew Garrett wrote: > IO port access would permit users to gain access to PCI configuration > registers, which in turn (on a lot of hardware) give access to MMIO register > space. This would potentially permit root to trigger arbitrary DMA, so lock > it down by default. > > Signed-off-by: Matthew Garrett Seriously... just deny CAP_SYS_RAWIO to any system in secure mode. -hpa