Received: by 10.192.165.156 with SMTP id m28csp941510imm; Wed, 11 Apr 2018 09:36:59 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/8Pgu3csKpUPtCTYpjfkewQBnmXMpeqm5/e3ov+FGbY4HRlAXZpuEZtoUqal5IDD86Dm+A X-Received: by 10.99.96.66 with SMTP id u63mr4011143pgb.22.1523464619379; Wed, 11 Apr 2018 09:36:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523464619; cv=none; d=google.com; s=arc-20160816; b=nkkbnSE0McHpu6Vs99028CtmnDwce7JAVHuuiEo/z69FMiHguJus6Rku0z3VuccsUY YZXa/d5+rCOTqKbdB3XSitXXiouXk0x9LC/TJgHBNXswfIWA9/Z5cfq3gAq5f9xdejOH 7IgpEyUvm5GGiSlELxOr2PGNFou3TlrOAZ0X/y3YwCZzBEMjY8saEKlXyeGrjdfgrylF DPpixXhoR1KMIvDp0NMStygzZ5551FJnC49SdyPNhZS1JqyPY5oordvWE7ruYmEvbCE/ jpDVBNkz4y5aSpAahPcxbLc3Ekko6Wb/JxT8EtwX4FPmi4/FmTk3jrx23m1cc7WtU+b6 9lRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:arc-authentication-results; bh=A5IZW81Q4d0CzuvYKTaIOjOxr0+jY8yAeTFtnbBKj3k=; b=VtitdU32UgK4MkHskqgHWr1wkAmVKPeODdE4Db4qFYqXHBkE3jjWQZT7+AHTgEj44n YJI/TmlgJLLsoL2gfVR46YWPRf0TD3LFbBkH24x5sK+KkgVfm8FCgPuCWJY0sFr4O66C n9WU4+odwp6OiEQcRSAIzxfJVB491wAg1JkpYVJJfpF6zWY7NIvuswy42YEdAMgck0w5 XW77cE6NQT6YpNoFVMyC1qn874MGATIFCYZmv4XpzmImUM+blr0AIyJ9tgIWEt+4eVUp FRZqxgFjQV4HxGoPPxBQ3gfPLxgn72CUc33eROATir6NIyKPKwKpzLtKu2HCRnU92qas BRIA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q6-v6si633801pls.457.2018.04.11.09.36.22; Wed, 11 Apr 2018 09:36:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754123AbeDKQZo (ORCPT + 99 others); Wed, 11 Apr 2018 12:25:44 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:54348 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752804AbeDKQZk (ORCPT ); Wed, 11 Apr 2018 12:25:40 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A4291430A629; Wed, 11 Apr 2018 16:25:39 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-8.rdu2.redhat.com [10.10.120.8]) by smtp.corp.redhat.com (Postfix) with ESMTP id B83A0215CDAF; Wed, 11 Apr 2018 16:25:38 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 09/24] PCI: Lock down BAR access when the kernel is locked down From: David Howells To: torvalds@linux-foundation.org Cc: linux-man@vger.kernel.org, linux-api@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org Date: Wed, 11 Apr 2018 17:25:38 +0100 Message-ID: <152346393827.4030.9682809430473131782.stgit@warthog.procyon.org.uk> In-Reply-To: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Wed, 11 Apr 2018 16:25:39 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Wed, 11 Apr 2018 16:25:39 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Bjorn Helgaas Reviewed-by: "Lee, Chun-Yi" cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 9 +++++++++ drivers/pci/proc.c | 9 ++++++++- drivers/pci/syscall.c | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 366d93af051d..1e149ec006a4 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -903,6 +903,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { @@ -1165,6 +1168,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1240,6 +1246,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 1ee8927a0635..469445a9019b 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + if (pos >= size) return 0; if (nbytes >= size) @@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + if (kernel_is_locked_down("Direct PCI access")) + return -EPERM; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..b8a08d3166a1 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access")) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn);