Commit cc223b88 authored by Matthew Garrett's avatar Matthew Garrett Committed by Tim Gardner

x86: Lock down IO port access when module security is enabled

BugLink: http://bugs.launchpad.net/bugs/1566221

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
space. This would potentially permit root to trigger arbitrary DMA, so lock
it down by default.
Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
parent 05add883
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#include <linux/thread_info.h> #include <linux/thread_info.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/bitmap.h> #include <linux/bitmap.h>
#include <linux/module.h>
#include <asm/syscalls.h> #include <asm/syscalls.h>
/* /*
...@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) ...@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL; return -EINVAL;
if (turn_on && !capable(CAP_SYS_RAWIO)) if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
return -EPERM; return -EPERM;
/* /*
...@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) ...@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
return -EINVAL; return -EINVAL;
/* Trying to gain more privileges? */ /* Trying to gain more privileges? */
if (level > old) { if (level > old) {
if (!capable(CAP_SYS_RAWIO)) if (!capable(CAP_SYS_RAWIO) || secure_modules())
return -EPERM; return -EPERM;
} }
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
......
...@@ -27,6 +27,7 @@ ...@@ -27,6 +27,7 @@
#include <linux/export.h> #include <linux/export.h>
#include <linux/io.h> #include <linux/io.h>
#include <linux/uio.h> #include <linux/uio.h>
#include <linux/module.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
...@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, ...@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos; unsigned long i = *ppos;
const char __user *tmp = buf; const char __user *tmp = buf;
if (secure_modules())
return -EPERM;
if (!access_ok(VERIFY_READ, buf, count)) if (!access_ok(VERIFY_READ, buf, count))
return -EFAULT; return -EFAULT;
while (count-- > 0 && i < 65536) { while (count-- > 0 && i < 65536) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment