Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4529175imb;
        Wed, 6 Mar 2019 16:04:04 -0800 (PST)
X-Google-Smtp-Source: APXvYqxQblnuC6w2/ZQR0Xf2kpCKDlkuxDkjZ7oFo4QleklV8LOqhfYTItZEwBbaUvAnMQDG7Dqw
X-Received: by 2002:aa7:81ce:: with SMTP id c14mr9651623pfn.51.1551917044858;
        Wed, 06 Mar 2019 16:04:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551917044; cv=none;
        d=google.com; s=arc-20160816;
        b=J4xT8wPkyyYM700/7rwbn7NOuRH7TC6nrhPlYLkje40U603a2VFyyjdWkRRyzAT7m3
         zwd0lanAb0HGsEOSep5eApPyn6qN4DuYOWAO7CWut1+Exs7kkuta6ahKvU3RgRcLihOs
         qY7SPYOrW5HdwflqCWTc26nIHx0sZopfrYWosrVvgoDojfdkrPE+htvklhfYh7GwxEoc
         PmZPg3gdPiqA3YqSOHqqdFMIukB27i4+LhkuR0nCq36nJAnVWjZfvbqYiRMmvbg/jVjF
         HM3LbVUo/onwVPN17kUd6+EMx1TTsKtSaKbqrXX2YKZtpnprZo5m4Y6rqtMrgRdqcGgB
         /tEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=;
        b=Nx0x+3WTKL4H38bH7aY6vIpJKxM6I9MNa3v2dOt1ALeG2/Ql1q1G798fiVjQrY7VWf
         GWroK4x/1eYIoRIr18Pl3OCfc9RG5+GyZQ3r4yne8w8ODO7DINw1oETAtY4RZbf5dXF0
         zetOAEXZS1w8RuUDfvqV/JuFL33NKFNcrj/2cAiMlSg3TNc+fS7J01dyjUm39LN1cxVQ
         CEhXPSzXWKJKZVApr4xls0Xcqy5AUGMYGtK+ZQcyymaSpfZ4K41Hory8KM2WFsB3MoRK
         ivuZnM2oZk7YitSsy7iGrxWELSzylH79SZKdshZ0iXz56Iw1fmh9njsIYlldhPTWZa7S
         I5GQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=jvy9XixY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t23si2730281pfa.64.2019.03.06.16.03.49;
        Wed, 06 Mar 2019 16:04:04 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=jvy9XixY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726767AbfCGABc (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Wed, 6 Mar 2019 19:01:32 -0500
Received: from mail-pg1-f202.google.com ([209.85.215.202]:40750 "EHLO
        mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726514AbfCFX76 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Mar 2019 18:59:58 -0500
Received: by mail-pg1-f202.google.com with SMTP id b12so14130245pgj.7
        for <linux-kernel@vger.kernel.org>; Wed, 06 Mar 2019 15:59:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=;
        b=jvy9XixYDMESBeGWm629iKWhW8u6ZS+rbPdR5wFtrAIoXp8X0Beq3w6n9KyLdUkrEq
         U63Xvyad7Y2Q/32lkLHR03jfxaTv1aMM6jOMrm+qmSWsxn6HOXHbRagx+eFwYySF+REa
         UvvUtrvxZCVpZjqOjHgIRFt3+/RVxukTl1nBAOBD3QTYdcuOr1gkmHZLxOR1/uxXUCUB
         XKOw9aEXXoB43Je4RTizkOm1OKKJ6GtN4jTQwKuHHOnEq8cLkxcX/rJCOdt7uTjtegeQ
         BUrVwanlHU9YJL5/dubEUv3r1m1tGqaggbRYbI2azMRSGJ5r+iChhYPnXncDsifN1LDg
         GaUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=;
        b=Oe6GU6H0AD3QYAYWec39EB52rzl/FuMv9uBaMHsTRtMCip1yV55pLJ8xVIVH1jiMct
         ptXIWOeyBgoG6UHrAxWPVj6heiYCbLBtheLam9tVZJMVm4ClHY9LDLJHVB2zTn6F1vFG
         DUB2u/A0HL3P4o1VCra9OrZmBnpj6gmWuVci3vZ/VKlx1/2miMzg8osKPPDhpLUpNw4R
         8fnD5glsdh6MsZlDC6Hkn8blb/LmFsabzS9JLG+XY0WKMFY//BsPers22hQZftP3RCHH
         yZ4vNZiPGgis12+9Zy4hpAryKx1ALJTW/6G83dfX81XB/MDQu8gnWs+A2pwufEsDv0p5
         Hs3w==
X-Gm-Message-State: APjAAAXUpUmH8muQZmVZc894dvO1oH+PDJwAywTBD6066IN9yNvSc1Qf
        q0LLYQ6p4Or7Z0D5dCVeZY9kj5AnFQPE/9ZSm/BdxA==
X-Received: by 2002:aa7:8259:: with SMTP id e25mr3957696pfn.99.1551916797433;
 Wed, 06 Mar 2019 15:59:57 -0800 (PST)
Date:   Wed,  6 Mar 2019 15:58:58 -0800
In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com>
Message-Id: <20190306235913.6631-13-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190306235913.6631-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog
Subject: [PATCH 12/27] x86: Lock down IO port access when the kernel is locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Matthew Garrett <mjg59@srcf.ucam.org>

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.

This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: x86@kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/kernel/ioport.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 0fe1c8782208..abc702a6ae9c 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
-	if (turn_on && !capable(CAP_SYS_RAWIO))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+			kernel_is_locked_down("ioperm")))
 		return -EPERM;
 
 	/*
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-		if (!capable(CAP_SYS_RAWIO))
+		if (!capable(CAP_SYS_RAWIO) ||
+		    kernel_is_locked_down("iopl"))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
-- 
2.21.0.352.gf09ad66450-goog