Commit 9b9d8dda authored by Matthew Garrett's avatar Matthew Garrett Committed by James Morris

lockdown: Restrict /dev/{mem,kmem,port} when the kernel is locked down

Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Cc: x86@kernel.org
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 49fcf732
...@@ -29,8 +29,8 @@ ...@@ -29,8 +29,8 @@
#include <linux/export.h> #include <linux/export.h>
#include <linux/io.h> #include <linux/io.h>
#include <linux/uio.h> #include <linux/uio.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/security.h>
#ifdef CONFIG_IA64 #ifdef CONFIG_IA64
# include <linux/efi.h> # include <linux/efi.h>
...@@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) ...@@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
static int open_port(struct inode *inode, struct file *filp) static int open_port(struct inode *inode, struct file *filp)
{ {
return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; if (!capable(CAP_SYS_RAWIO))
return -EPERM;
return security_locked_down(LOCKDOWN_DEV_MEM);
} }
#define zero_lseek null_lseek #define zero_lseek null_lseek
......
...@@ -104,6 +104,7 @@ enum lsm_event { ...@@ -104,6 +104,7 @@ enum lsm_event {
enum lockdown_reason { enum lockdown_reason {
LOCKDOWN_NONE, LOCKDOWN_NONE,
LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_MODULE_SIGNATURE,
LOCKDOWN_DEV_MEM,
LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_CONFIDENTIALITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX,
}; };
......
...@@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; ...@@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down;
static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_NONE] = "none", [LOCKDOWN_NONE] = "none",
[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
[LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment