Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	Matthew Garrett <mjg59@google.com>,
	David Howells <dhowells@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	x86@kernel.org
Subject: [PATCH V38 12/29] x86: Lock down IO port access when the kernel is locked down
Date: Wed,  7 Aug 2019 17:07:04 -0700
Message-ID: <20190808000721.124691-13-matthewgarrett@google.com> (raw)
In-Reply-To: <20190808000721.124691-1-matthewgarrett@google.com>

From: Matthew Garrett <mjg59@srcf.ucam.org>

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.

This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
cc: x86@kernel.org
---
 arch/x86/kernel/ioport.c     | 7 +++++--
 include/linux/security.h     | 1 +
 security/lockdown/lockdown.c | 1 +
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 0fe1c8782208..61a89d3c0382 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -11,6 +11,7 @@
 #include <linux/errno.h>
 #include <linux/types.h>
 #include <linux/ioport.h>
+#include <linux/security.h>
 #include <linux/smp.h>
 #include <linux/stddef.h>
 #include <linux/slab.h>
@@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
-	if (turn_on && !capable(CAP_SYS_RAWIO))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+			security_locked_down(LOCKDOWN_IOPORT)))
 		return -EPERM;
 
 	/*
@@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-		if (!capable(CAP_SYS_RAWIO))
+		if (!capable(CAP_SYS_RAWIO) ||
+		    security_locked_down(LOCKDOWN_IOPORT))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
diff --git a/include/linux/security.h b/include/linux/security.h
index 8adbd62b7669..79250b2ffb8f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -108,6 +108,7 @@ enum lockdown_reason {
 	LOCKDOWN_KEXEC,
 	LOCKDOWN_HIBERNATION,
 	LOCKDOWN_PCI_ACCESS,
+	LOCKDOWN_IOPORT,
 	LOCKDOWN_INTEGRITY_MAX,
 	LOCKDOWN_CONFIDENTIALITY_MAX,
 };
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 655fe388e615..316f7cf4e996 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_KEXEC] = "kexec of unsigned images",
 	[LOCKDOWN_HIBERNATION] = "hibernation",
 	[LOCKDOWN_PCI_ACCESS] = "direct PCI access",
+	[LOCKDOWN_IOPORT] = "raw io port access",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
 };
-- 
2.22.0.770.g0f2c4a37fd-goog


  parent reply index

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-08  0:06 [PATCH V38 00/29] security: Add support for locking down the kernel Matthew Garrett
2019-08-08  0:06 ` [PATCH V38 01/29] security: Support early LSMs Matthew Garrett
2019-08-08  0:06 ` [PATCH V38 02/29] security: Add a "locked down" LSM hook Matthew Garrett
2019-08-08  0:06 ` [PATCH V38 03/29] security: Add a static lockdown policy LSM Matthew Garrett
2019-08-08  0:06 ` [PATCH V38 04/29] Enforce module signatures if the kernel is locked down Matthew Garrett
2019-08-08  0:06 ` [PATCH V38 05/29] Restrict /dev/{mem,kmem,port} when " Matthew Garrett
2019-08-08  0:06 ` [PATCH V38 06/29] kexec_load: Disable at runtime if " Matthew Garrett
2019-08-08  0:06 ` [PATCH V38 07/29] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 10/29] hibernate: Disable when " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 11/29] PCI: Lock down BAR access " Matthew Garrett
2019-08-08  0:07 ` Matthew Garrett [this message]
2019-08-08  0:07 ` [PATCH V38 13/29] x86/msr: Restrict MSR " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 14/29] ACPI: Limit access to custom_method " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-08-14  2:51   ` Dave Young
2019-08-14  7:26   ` Borislav Petkov
2019-08-14 17:14     ` Matthew Garrett
2019-08-14 17:47       ` Borislav Petkov
2019-08-14 18:02         ` Matthew Garrett
2019-08-14  7:28   ` Borislav Petkov
2019-08-08  0:07 ` [PATCH V38 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 17/29] Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 18/29] Lock down TIOCSSERIAL Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 19/29] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-08-08 11:12   ` Jessica Yu
2019-08-08 16:33     ` James Morris
2019-08-09 20:58     ` [PATCH V39] " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 21/29] Lock down /proc/kcore Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 22/29] Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 24/29] Lock down perf when " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 27/29] tracefs: Restrict tracefs " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett
2019-08-08  0:07 ` [PATCH V38 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett
2019-08-10  6:08 ` [PATCH V38 00/29] security: Add support for locking down the kernel James Morris
2019-08-12 17:06   ` Matthew Garrett
2019-08-12 17:39     ` James Morris
2019-08-12 22:29       ` James Morris

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190808000721.124691-13-matthewgarrett@google.com \
    --to=matthewgarrett@google.com \
    --cc=dhowells@redhat.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=mjg59@srcf.ucam.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git