Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp102467imb;
        Thu, 28 Feb 2019 17:27:04 -0800 (PST)
X-Google-Smtp-Source: APXvYqxBBgbtofi2ZVWrrkxKou0CEMrSZMsKfrdHJcmFkgFFkuO4EuA6PtPXcBYNjTc4VFWiHcW+
X-Received: by 2002:a17:902:7686:: with SMTP id m6mr2639331pll.262.1551403623981;
        Thu, 28 Feb 2019 17:27:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551403623; cv=none;
        d=google.com; s=arc-20160816;
        b=PolvxhZEVOYW8rAepGzf/lIMAICZcn6bKN+dfq4sUZAOHRBDZDg77cgYHrlUAkSWqn
         6Z8XhN9joOx9wq1lr6X22y98+heEidejBpbR0RhjUzzhtyG86fBPqOIq94I3JKh7zEnj
         5o5TNWLjWzCSSKavBw2gCMySid8omEAX74gyYSP1SGoAuZJDc96yUdoLVIlsQkJSPZlW
         OhgbOnrgtgBcmBRJteFSDX/1QjJ5hJj1i3AZrLDZtKwIZGtBkt3nmTsAOcRERhA3GAfF
         /8U1tWtx8vXe5IWiHihBTIjrBO8W3DcH7WcQQAhDBbytAbNOWxe8AUfqP4N1lvMli2Li
         D6EA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=Wtblv7CT5Upf5j4F9ZDp7ozjiqhluHRrt49GDLKpkfY=;
        b=VjsZUsp+O6kVSFxu71yi1xRFAyodtHomBOH4GOjR6MT6G9k0NIWSeqNSnhgyRPfvDG
         Bzd+oekgRaUI9B39y91AGpBl95xyxg94jv5Znd0i0A7ochbOcf9cc+/2FuIrFJG1Tn1p
         4Ec8x7Zyx1LGMXOOdgyjszjKleC4hmKpqnfKtGGgyJOGSnV0s4oThiQxgPvQ0eJ63rKR
         d7Sfvmaku8TOXs7pVC3Fhr60oZ06fh9h5kPwy9aWq0ocNNO0tiO2vGWo53txSkqp3CZk
         BBaWG/0hQtVquk0+UzmXr6w7nXNThCEANHe99Lxyj6zbJHz+btBTiG9EXK9D7mKmP73J
         YV/A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=GC2PYmS9;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l4si18930281pgr.346.2019.02.28.17.26.48;
        Thu, 28 Feb 2019 17:27:03 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=GC2PYmS9;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387829AbfB1XMi (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Thu, 28 Feb 2019 18:12:38 -0500
Received: from mail-pl1-f202.google.com ([209.85.214.202]:54158 "EHLO
        mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2387802AbfB1XMf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Feb 2019 18:12:35 -0500
Received: by mail-pl1-f202.google.com with SMTP id t1so16188243plo.20
        for <linux-kernel@vger.kernel.org>; Thu, 28 Feb 2019 15:12:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=Wtblv7CT5Upf5j4F9ZDp7ozjiqhluHRrt49GDLKpkfY=;
        b=GC2PYmS9jR6nrnqlMzH2aZd92rT/QgV0RAhZ9ntx1vuRcVG6IiFngBTZeNuw6bzV6u
         f1pYzZ5m8GDX7LMG6N7JOdwb7tlBpa71/HnuLlEM5zohtke23Lfg98b3gWZ808IkMshv
         +u7wbW4DFyB5r+jTTvUf1akuE0xU5IU9EuYQ6XotCTFddmLeVB1/G8piCZ8dLMfsVsP4
         yR1UimMKwYlWQvulSSd57CUFEeFvJ8gAjhzdOW2iajytFiwvnYtyfS2qQN8xEhE7G6Zr
         IEWt45+L5WvUWk35DQMLxlvFcW5hT5hehluPIQpjuQCysapZ21ZzdDgcj5ZteEuwXysG
         FdzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=Wtblv7CT5Upf5j4F9ZDp7ozjiqhluHRrt49GDLKpkfY=;
        b=M0njUtWyfNw7fQxh5O+m9nD6eDAMC0oaXEIvNBl7ap0R1B6ZKOc6qk1gbEF8m0aKMn
         uVQiynxfj/IVTRX8HspjjgtFMXsAGyqeMRVQ7LtAMHMYm4gtnycYHxTVVQtXJdicK2/y
         XDDy4rZdzUkrzoi9VpbGbg35SKFQbtERCVWIg0pqBHqbITSvRTNymBzWN5PmHxUXna24
         ZTH6kEkMogH3BwO3clTBpOoyhL4z/PNOlh2LRtAkpFLtrXcDvwYUBqxtQT2ud6MljRQ9
         0uomOTyJPwDRMHoZqI50A1yM25dRXpqVCUfAXdhclYUamAq2I8J4Pns3oDiu83n637XV
         tBmQ==
X-Gm-Message-State: APjAAAX6f6Xt0ZNZJjwbxfb0qYPH0s9GKewV7E0yLwsc+RE0lP5UXsY1
        xOdS6qcAuya+0gIJeUDXlPoCm1D9hZIsVYaoHToWwg==
X-Received: by 2002:a17:902:2dc3:: with SMTP id p61mr671197plb.108.1551395554796;
 Thu, 28 Feb 2019 15:12:34 -0800 (PST)
Date:   Thu, 28 Feb 2019 15:11:48 -0800
In-Reply-To: <20190228231203.212359-1-matthewgarrett@google.com>
Message-Id: <20190228231203.212359-12-matthewgarrett@google.com>
Mime-Version: 1.0
References: <CACdnJuvW47m3JvEcuEX1bsr+L2Ht9LDn_iCuPbHLOoaohOFW4Q@mail.gmail.com>
 <20190228231203.212359-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 12/27] x86: Lock down IO port access when the kernel is locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Matthew Garrett <mjg59@srcf.ucam.org>

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.

This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
---
 arch/x86/kernel/ioport.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 0fe1c8782208..abc702a6ae9c 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
-	if (turn_on && !capable(CAP_SYS_RAWIO))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+			kernel_is_locked_down("ioperm")))
 		return -EPERM;
 
 	/*
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-		if (!capable(CAP_SYS_RAWIO))
+		if (!capable(CAP_SYS_RAWIO) ||
+		    kernel_is_locked_down("iopl"))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
-- 
2.21.0.352.gf09ad66450-goog