From: Matthew Garrett <matthewgarrett@google.com>
To: jmorris@namei.org
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
Matthew Garrett <mjg59@srcf.ucam.org>,
David Howells <dhowells@redhat.com>,
Matthew Garrett <mjg59@google.com>,
Kees Cook <keescook@chromium.org>,
x86@kernel.org
Subject: [PATCH V38 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down
Date: Wed, 7 Aug 2019 17:06:57 -0700 [thread overview]
Message-ID: <20190808000721.124691-6-matthewgarrett@google.com> (raw)
In-Reply-To: <20190808000721.124691-1-matthewgarrett@google.com>
From: Matthew Garrett <mjg59@srcf.ucam.org>
Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.
Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.
Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: x86@kernel.org
---
drivers/char/mem.c | 7 +++++--
include/linux/security.h | 1 +
security/lockdown/lockdown.c | 1 +
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index b08dc50f9f26..d0148aee1aab 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -29,8 +29,8 @@
#include <linux/export.h>
#include <linux/io.h>
#include <linux/uio.h>
-
#include <linux/uaccess.h>
+#include <linux/security.h>
#ifdef CONFIG_IA64
# include <linux/efi.h>
@@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
static int open_port(struct inode *inode, struct file *filp)
{
- return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
+
+ return security_locked_down(LOCKDOWN_DEV_MEM);
}
#define zero_lseek null_lseek
diff --git a/include/linux/security.h b/include/linux/security.h
index 8e70063074a1..9458152601b5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -104,6 +104,7 @@ enum lsm_event {
enum lockdown_reason {
LOCKDOWN_NONE,
LOCKDOWN_MODULE_SIGNATURE,
+ LOCKDOWN_DEV_MEM,
LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_CONFIDENTIALITY_MAX,
};
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 2c53fd9f5c9b..d2ef29d9f0b2 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down;
static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_NONE] = "none",
[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
+ [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};
--
2.22.0.770.g0f2c4a37fd-goog
next prev parent reply other threads:[~2019-08-08 0:09 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 0:06 [PATCH V38 00/29] security: Add support for locking down the kernel Matthew Garrett
2019-08-08 0:06 ` [PATCH V38 01/29] security: Support early LSMs Matthew Garrett
2019-08-08 0:06 ` [PATCH V38 02/29] security: Add a "locked down" LSM hook Matthew Garrett
2019-08-08 0:06 ` [PATCH V38 03/29] security: Add a static lockdown policy LSM Matthew Garrett
2019-08-08 0:06 ` [PATCH V38 04/29] Enforce module signatures if the kernel is locked down Matthew Garrett
2019-08-08 0:06 ` Matthew Garrett [this message]
2019-08-08 0:06 ` [PATCH V38 06/29] kexec_load: Disable at runtime " Matthew Garrett
2019-08-08 0:06 ` Matthew Garrett
2019-08-08 0:06 ` Matthew Garrett
2019-08-08 0:06 ` [PATCH V38 07/29] Copy secure_boot flag in boot params across kexec reboot Matthew Garrett
2019-08-08 0:06 ` Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE Matthew Garrett
2019-08-08 0:07 ` Matthew Garrett
2019-08-08 0:07 ` Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 09/29] kexec_file: Restrict at runtime if the kernel is locked down Matthew Garrett
2019-08-08 0:07 ` Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 10/29] hibernate: Disable when " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 11/29] PCI: Lock down BAR access " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 12/29] x86: Lock down IO port " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 13/29] x86/msr: Restrict MSR " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 14/29] ACPI: Limit access to custom_method " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been " Matthew Garrett
2019-08-14 2:51 ` Dave Young
2019-08-14 7:26 ` Borislav Petkov
2019-08-14 17:14 ` Matthew Garrett
2019-08-14 17:47 ` Borislav Petkov
2019-08-14 18:02 ` Matthew Garrett
2019-08-14 7:28 ` Borislav Petkov
2019-08-08 0:07 ` [PATCH V38 16/29] acpi: Disable ACPI table override if the kernel is " Matthew Garrett
2019-08-08 0:07 ` Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 17/29] Prohibit PCMCIA CIS storage when " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 18/29] Lock down TIOCSSERIAL Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 19/29] Lock down module params that specify hardware parameters (eg. ioport) Matthew Garrett
2019-08-08 11:12 ` Jessica Yu
2019-08-08 16:33 ` James Morris
2019-08-09 20:58 ` [PATCH V39] " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 20/29] x86/mmiotrace: Lock down the testmmiotrace module Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 21/29] Lock down /proc/kcore Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 22/29] Lock down tracing and perf kprobes when in confidentiality mode Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 23/29] bpf: Restrict bpf when kernel lockdown is " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 24/29] Lock down perf when " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 26/29] debugfs: Restrict debugfs when the kernel is " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 27/29] tracefs: Restrict tracefs " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 28/29] efi: Restrict efivar_ssdt_load " Matthew Garrett
2019-08-08 0:07 ` [PATCH V38 29/29] lockdown: Print current->comm in restriction messages Matthew Garrett
2019-08-10 6:08 ` [PATCH V38 00/29] security: Add support for locking down the kernel James Morris
2019-08-12 17:06 ` Matthew Garrett
2019-08-12 17:39 ` James Morris
2019-08-12 22:29 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190808000721.124691-6-matthewgarrett@google.com \
--to=matthewgarrett@google.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=mjg59@srcf.ucam.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.