Re: [PATCH] kernel: Restrict permissions of /proc/iomem.

[Kees Cook <keescook@chromium.org>]

On Fri, Oct 25, 2019 at 02:32:20PM -0700, Andrew Morton wrote:
> On Fri, 25 Oct 2019 16:56:41 +0800 zhanglin <zhang.lin16@zte.com.cn> wrote:
> 
> > The permissions of /proc/iomem currently are -r--r--r--. Everyone can
> > see its content. As iomem contains information about the physical memory
> > content of the device, restrict the information only to root.
> > 
> > ...
> >
> > --- a/kernel/resource.c
> > +++ b/kernel/resource.c
> > @@ -139,7 +139,8 @@ static int __init ioresources_init(void)
> >  {
> >  	proc_create_seq_data("ioports", 0, NULL, &resource_op,
> >  			&ioport_resource);
> > -	proc_create_seq_data("iomem", 0, NULL, &resource_op, &iomem_resource);
> > +	proc_create_seq_data("iomem", S_IRUSR, NULL, &resource_op,
> > +			&iomem_resource);
> >  	return 0;
> >  }
> >  __initcall(ioresources_init);
> 
> It's risky to change things like this - heaven knows which userspace
> applications might break.
> 
> Possibly we could obfuscate the information if that is considered
> desirable.  Why is this a problem anyway?  What are the possible
> exploit scenarios?

This is already done: kptr_restrict sysctl already zeros these values
if it is set. e.g.:

00000000-00000000 : System RAM
  00000000-00000000 : Kernel code
  00000000-00000000 : Kernel data
  00000000-00000000 : Kernel bss

> Can't the same info be obtained by running dmesg and looking at the
> startup info?

Both virtual and physical address dumps in dmesg are considered "bad
form" these days and most have been removed.

> Can't the user who is concerned about this run chmod 0400 /proc/iomem
> at boot?

That is also possible.

> Maybe Kees has an opinion?

I do! :) System owners should either set kptr_restrict (or the CONFIG),
or do a chmod.

-- 
Kees Cook