From: Matthew Garrett <matthewgarrett@google.com> To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett <mjg59@srcf.ucam.org>, Matthew Garrett <mjg59@google.com>, David Howells <dhowells@redhat.com>, Kees Cook <keescook@chromium.org>, x86@kernel.org Subject: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down Date: Mon, 19 Aug 2019 17:17:48 -0700 Message-ID: <20190820001805.241928-13-matthewgarrett@google.com> (raw) In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com> From: Matthew Garrett <mjg59@srcf.ucam.org> IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> cc: x86@kernel.org Signed-off-by: James Morris <jmorris@namei.org> --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include <linux/errno.h> #include <linux/types.h> #include <linux/ioport.h> +#include <linux/security.h> #include <linux/smp.h> #include <linux/stddef.h> #include <linux/slab.h> @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 2b763f0ee352..cd93fa5d3c6d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 410e90eda848..8b7d65dbb086 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.23.0.rc1.153.gdeed80330f-goog
next prev parent reply index Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-08-20 0:17 [PATCH V40 00/29] Add kernel lockdown functionality Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 01/29] security: Support early LSMs Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 02/29] security: Add a "locked down" LSM hook Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 05/29] lockdown: Restrict /dev/{mem,kmem,port} when " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 06/29] kexec_load: Disable at runtime if " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 07/29] lockdown: Copy secure_boot flag in boot params across kexec reboot Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett 2019-08-30 14:26 ` Philipp Rudo 2019-08-20 0:17 ` [PATCH V40 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 10/29] hibernate: Disable when " Matthew Garrett 2019-08-20 21:43 ` Rafael J. Wysocki 2019-08-25 9:51 ` Pavel Machek 2019-08-20 0:17 ` [PATCH V40 11/29] PCI: Lock down BAR access " Matthew Garrett 2019-08-20 19:45 ` Bjorn Helgaas 2019-08-20 21:04 ` Matthew Garrett 2019-08-20 0:17 ` Matthew Garrett [this message] 2019-08-20 0:17 ` [PATCH V40 13/29] x86/msr: Restrict MSR " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 14/29] ACPI: Limit access to custom_method " Matthew Garrett 2019-08-20 22:07 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett 2019-08-20 22:08 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett 2019-08-20 22:08 ` Rafael J. Wysocki 2019-08-20 0:17 ` [PATCH V40 17/29] lockdown: Prohibit PCMCIA CIS storage when " Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 18/29] lockdown: Lock down TIOCSSERIAL Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 19/29] lockdown: Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett 2019-08-20 16:39 ` Jessica Yu 2019-08-20 0:17 ` [PATCH V40 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 21/29] lockdown: Lock down /proc/kcore Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 22/29] lockdown: Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett 2019-08-20 0:17 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 24/29] lockdown: Lock down perf when " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 27/29] tracefs: Restrict tracefs " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett 2019-08-20 0:18 ` [PATCH V40 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett 2019-08-20 6:45 ` [PATCH V40 00/29] Add kernel lockdown functionality James Morris 2019-08-30 16:28 ` [PATCH V40 03/29] security: Add a static lockdown policy LSM David Howells 2019-09-04 16:51 ` Matthew Garrett 2019-09-10 10:06 ` Matthew Garrett 2019-08-30 16:31 ` [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down David Howells 2019-09-04 16:57 ` Matthew Garrett 2019-08-30 16:32 ` [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190820001805.241928-13-matthewgarrett@google.com \ --to=matthewgarrett@google.com \ --cc=dhowells@redhat.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mjg59@google.com \ --cc=mjg59@srcf.ucam.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ linux-security-module@vger.kernel.org public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git