From: ethan.kernel@gmail.com (Ethan Zhao)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down
Date: Tue, 24 Oct 2017 18:48:44 +0800 [thread overview]
Message-ID: <CABawtvMWhHJHtog9BWNVJ3Xk-ipOhPp+TGSVNjjZD27QAfB+Nw@mail.gmail.com> (raw)
In-Reply-To: <18778.1508769258@warthog.procyon.org.uk>
David?
May I ask a question here -- Is it intentionally enabling the
read-only mode, so userspace
tools like dmidecode could work with kernel_is_locked_down ? while it
was impossible to work
with the attached patch applied. Is it a security policy change with
secure boot ?
Thanks,
Ethan
On Mon, Oct 23, 2017 at 10:34 PM, David Howells <dhowells@redhat.com> wrote:
> I think I should replace this patch with the attached. This will prevent
> /dev/mem, /dev/kmem and /dev/port from being *opened*, and thereby preventing
> read, write and ioctl.
>
> David
> ---
> commit e68daa2256986932b9a7d6709cf9e24b30d93583
> Author: Matthew Garrett <matthew.garrett@nebula.com>
> Date: Wed May 24 14:56:02 2017 +0100
>
> Restrict /dev/{mem,kmem,port} when the kernel is locked down
>
> Allowing users to read and write to core kernel memory makes it possible
> for the kernel to be subverted, avoiding module loading restrictions, and
> also to steal cryptographic information.
>
> Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
> been locked down to prevent this.
>
> Also disallow /dev/port from being opened to prevent raw ioport access and
> thus DMA from being used to accomplish the same thing.
>
> Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
>
> diff --git a/drivers/char/mem.c b/drivers/char/mem.c
> index 593a8818aca9..0ce5ac0a5c6b 100644
> --- a/drivers/char/mem.c
> +++ b/drivers/char/mem.c
> @@ -762,6 +762,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
>
> static int open_port(struct inode *inode, struct file *filp)
> {
> + if (kernel_is_locked_down("/dev/mem,kmem,port"))
> + return -EPERM;
> return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-10-24 10:48 UTC|newest]
Thread overview: 148+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 14:50 [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-19 14:50 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image David Howells
2017-10-20 23:19 ` James Morris
2017-10-19 14:50 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown David Howells
2017-10-19 17:20 ` Randy Dunlap
2017-10-19 22:12 ` David Howells
2017-11-07 17:39 ` Thiago Jung Bauermann
2017-11-07 22:56 ` David Howells
2017-10-19 14:50 ` [PATCH 03/27] Enforce module signatures if the kernel is locked down David Howells
2017-10-20 6:33 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-27 18:48 ` Mimi Zohar
2017-10-30 17:00 ` David Howells
2017-10-30 17:52 ` Mimi Zohar
2017-11-02 17:22 ` David Howells
2017-11-02 19:13 ` Mimi Zohar
2017-11-02 21:30 ` David Howells
2017-11-02 21:41 ` Mimi Zohar
2017-11-02 22:01 ` David Howells
2017-11-02 22:18 ` Mimi Zohar
2017-10-19 14:51 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when " David Howells
2017-10-20 6:37 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-19 14:51 ` [PATCH 05/27] kexec: Disable at runtime if " David Howells
2017-10-20 6:38 ` joeyli
2017-10-20 23:22 ` James Morris
2017-10-19 14:51 ` [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot David Howells
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set David Howells
2017-10-20 23:26 ` James Morris
2017-10-23 15:54 ` Mimi Zohar
2017-10-26 7:42 ` joeyli
2017-10-26 14:17 ` Mimi Zohar
2017-10-27 19:30 ` Mimi Zohar
2017-10-27 19:32 ` Mimi Zohar
2017-10-28 8:34 ` joeyli
2017-10-29 22:26 ` Mimi Zohar
2017-10-30 9:00 ` David Howells
2017-10-30 12:01 ` Mimi Zohar
2017-10-26 15:02 ` David Howells
2017-10-26 15:46 ` Mimi Zohar
2017-10-30 15:49 ` David Howells
2017-10-30 16:43 ` Mimi Zohar
2017-11-02 17:00 ` David Howells
2017-10-26 14:51 ` David Howells
2017-11-02 17:29 ` David Howells
2017-10-19 14:51 ` [PATCH 08/27] hibernate: Disable when the kernel is locked down David Howells
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 09/27] uswsusp: " David Howells
2017-10-20 6:41 ` joeyli
2017-10-20 23:29 ` James Morris
2017-10-19 14:51 ` [PATCH 10/27] PCI: Lock down BAR access " David Howells
2017-10-20 6:42 ` joeyli
2017-10-19 14:51 ` [PATCH 11/27] x86: Lock down IO port " David Howells
2017-10-20 6:43 ` joeyli
2017-10-19 14:52 ` [PATCH 12/27] x86/msr: Restrict MSR " David Howells
2017-10-20 6:43 ` joeyli
2017-10-20 18:09 ` Alan Cox
2017-10-20 20:48 ` David Howells
2017-10-21 4:39 ` joeyli
2017-10-23 14:49 ` David Howells
2017-10-25 14:03 ` joeyli
2017-10-19 14:52 ` [PATCH 13/27] asus-wmi: Restrict debugfs interface " David Howells
2017-10-20 6:44 ` joeyli
2017-10-19 14:52 ` [PATCH 14/27] ACPI: Limit access to custom_method " David Howells
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 16/27] acpi: Disable ACPI table override if the kernel is " David Howells
2017-10-20 6:46 ` joeyli
2017-10-19 14:52 ` [PATCH 17/27] acpi: Disable APEI error injection " David Howells
2017-10-20 6:47 ` joeyli
2017-10-19 14:52 ` [PATCH 18/27] bpf: Restrict kernel image access functions when " David Howells
2017-10-19 22:18 ` Alexei Starovoitov
2017-10-20 2:47 ` joeyli
2017-10-20 8:08 ` David Howells
2017-10-20 15:57 ` jlee at suse.com
2017-10-20 16:03 ` David Howells
2017-10-20 16:43 ` jlee at suse.com
2017-10-23 14:53 ` David Howells
2017-10-25 7:07 ` joeyli
2017-10-19 22:48 ` David Howells
2017-10-19 23:31 ` Alexei Starovoitov
2017-11-09 17:15 ` David Howells
2017-10-19 14:52 ` [PATCH 19/27] scsi: Lock down the eata driver David Howells
2017-10-19 14:53 ` [PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 21/27] Lock down TIOCSSERIAL David Howells
2017-10-19 14:53 ` [PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) David Howells
2017-10-19 14:53 ` [PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module David Howells
2017-10-19 14:53 ` [PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down David Howells
2017-10-19 14:53 ` [PATCH 25/27] Lock down /proc/kcore David Howells
2017-10-21 2:11 ` James Morris
2017-10-23 14:56 ` David Howells
2017-10-19 14:53 ` [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode David Howells
2017-10-21 2:19 ` James Morris
2017-10-23 14:58 ` David Howells
2017-10-19 14:53 ` [PATCH 27/27] efi: Lock down the kernel if booted in " David Howells
2017-10-19 22:39 ` [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-23 14:34 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down David Howells
2017-10-24 10:48 ` Ethan Zhao [this message]
2017-10-24 14:56 ` David Howells
2017-11-02 22:01 ` [PATCH 00/27] security, efi: Add kernel lockdown Mimi Zohar
2017-11-02 22:04 ` Firmware signing -- " David Howells
2017-11-02 22:10 ` Mimi Zohar
2017-11-07 23:07 ` Luis R. Rodriguez
2017-11-08 6:15 ` AKASHI, Takahiro
2017-11-08 19:46 ` Luis R. Rodriguez
2017-11-09 1:48 ` AKASHI, Takahiro
2017-11-09 2:17 ` Mimi Zohar
2017-11-09 4:46 ` AKASHI, Takahiro
2017-11-10 13:37 ` Mimi Zohar
2017-11-11 2:32 ` Alan Cox
2017-11-13 11:49 ` Mimi Zohar
2017-11-13 17:42 ` Luis R. Rodriguez
2017-11-13 21:08 ` Alan Cox
2017-12-04 19:51 ` Luis R. Rodriguez
2017-12-07 15:32 ` Alan Cox
2017-11-13 21:44 ` David Howells
2017-11-13 22:09 ` Linus Torvalds
2017-11-14 0:20 ` Alan Cox
2017-11-14 12:21 ` Mimi Zohar
2017-11-14 12:38 ` Greg Kroah-Hartman
2017-11-14 13:17 ` Mimi Zohar
2017-11-14 17:34 ` Linus Torvalds
2017-11-14 19:58 ` Matthew Garrett
2017-11-14 20:18 ` Linus Torvalds
2017-11-14 20:31 ` Matthew Garrett
2017-11-14 20:35 ` Linus Torvalds
2017-11-14 20:37 ` Matthew Garrett
2017-11-14 20:50 ` Luis R. Rodriguez
2017-11-14 20:55 ` Matthew Garrett
2017-11-14 22:14 ` James Bottomley
2017-11-14 22:17 ` Matthew Garrett
2017-11-14 22:31 ` James Bottomley
2017-11-14 22:34 ` Matthew Garrett
2017-11-15 11:49 ` Mimi Zohar
2017-11-15 17:52 ` Luis R. Rodriguez
2017-11-15 19:56 ` Mimi Zohar
2017-11-15 20:46 ` Luis R. Rodriguez
2017-11-16 0:05 ` Mimi Zohar
[not found] ` <20171205102757.GA12982@amd>
2017-12-07 23:02 ` Luis R. Rodriguez
2017-12-08 17:11 ` Alan Cox
2017-11-10 1:46 ` Luis R. Rodriguez
2017-11-10 13:45 ` Mimi Zohar
2017-11-13 18:50 ` Luis R. Rodriguez
2017-11-13 19:08 ` Luis R. Rodriguez
2017-11-08 20:01 ` Mimi Zohar
2017-11-08 20:09 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABawtvMWhHJHtog9BWNVJ3Xk-ipOhPp+TGSVNjjZD27QAfB+Nw@mail.gmail.com \
--to=ethan.kernel@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).