From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932327AbdJWOeW convert rfc822-to-8bit (ORCPT ); Mon, 23 Oct 2017 10:34:22 -0400 Received: from mx1.redhat.com ([209.132.183.28]:58910 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932244AbdJWOeV (ORCPT ); Mon, 23 Oct 2017 10:34:21 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C2A7AC0587CE Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=dhowells@redhat.com Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <150842466261.7923.14359746674406637357.stgit@warthog.procyon.org.uk> References: <150842466261.7923.14359746674406637357.stgit@warthog.procyon.org.uk> <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> To: joeyli Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jforbes@redhat.com Subject: Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <18777.1508769258.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Mon, 23 Oct 2017 15:34:18 +0100 Message-ID: <18778.1508769258@warthog.procyon.org.uk> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 23 Oct 2017 14:34:20 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I think I should replace this patch with the attached. This will prevent /dev/mem, /dev/kmem and /dev/port from being *opened*, and thereby preventing read, write and ioctl. David --- commit e68daa2256986932b9a7d6709cf9e24b30d93583 Author: Matthew Garrett Date: Wed May 24 14:56:02 2017 +0100 Restrict /dev/{mem,kmem,port} when the kernel is locked down Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 593a8818aca9..0ce5ac0a5c6b 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -762,6 +762,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; }