From: Andrew Morton <akpm@linux-foundation.org>
To: zhanglin <zhang.lin16@zte.com.cn>
Cc: dan.j.williams@intel.com, jgg@ziepe.ca, mingo@kernel.org,
dave.hansen@linux.intel.com, namit@vmware.com, bp@suse.de,
christophe.leroy@c-s.fr, rdunlap@infradead.org,
osalvador@suse.de, richardw.yang@linux.intel.com,
linux-kernel@vger.kernel.org, xue.zhihong@zte.com.cn,
wang.yi59@zte.com.cn, jiang.xuexin@zte.com.cn,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH] kernel: Restrict permissions of /proc/iomem.
Date: Fri, 25 Oct 2019 14:32:20 -0700 [thread overview]
Message-ID: <20191025143220.cb15a90fe95a4ebdda70f89c@linux-foundation.org> (raw)
In-Reply-To: <1571993801-12665-1-git-send-email-zhang.lin16@zte.com.cn>
On Fri, 25 Oct 2019 16:56:41 +0800 zhanglin <zhang.lin16@zte.com.cn> wrote:
> The permissions of /proc/iomem currently are -r--r--r--. Everyone can
> see its content. As iomem contains information about the physical memory
> content of the device, restrict the information only to root.
>
> ...
>
> --- a/kernel/resource.c
> +++ b/kernel/resource.c
> @@ -139,7 +139,8 @@ static int __init ioresources_init(void)
> {
> proc_create_seq_data("ioports", 0, NULL, &resource_op,
> &ioport_resource);
> - proc_create_seq_data("iomem", 0, NULL, &resource_op, &iomem_resource);
> + proc_create_seq_data("iomem", S_IRUSR, NULL, &resource_op,
> + &iomem_resource);
> return 0;
> }
> __initcall(ioresources_init);
It's risky to change things like this - heaven knows which userspace
applications might break.
Possibly we could obfuscate the information if that is considered
desirable. Why is this a problem anyway? What are the possible
exploit scenarios?
Can't the same info be obtained by running dmesg and looking at the
startup info?
Can't the user who is concerned about this run chmod 0400 /proc/iomem
at boot?
Maybe Kees has an opinion?
next prev parent reply other threads:[~2019-10-25 21:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 8:56 [PATCH] kernel: Restrict permissions of /proc/iomem zhanglin
2019-10-25 21:32 ` Andrew Morton [this message]
2019-10-28 19:16 ` Kees Cook
2019-10-29 11:05 ` Christian Kujau
2019-10-25 21:38 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191025143220.cb15a90fe95a4ebdda70f89c@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=bp@suse.de \
--cc=christophe.leroy@c-s.fr \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=jgg@ziepe.ca \
--cc=jiang.xuexin@zte.com.cn \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namit@vmware.com \
--cc=osalvador@suse.de \
--cc=rdunlap@infradead.org \
--cc=richardw.yang@linux.intel.com \
--cc=wang.yi59@zte.com.cn \
--cc=xue.zhihong@zte.com.cn \
--cc=zhang.lin16@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).