Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4529175imb; Wed, 6 Mar 2019 16:04:04 -0800 (PST) X-Google-Smtp-Source: APXvYqxQblnuC6w2/ZQR0Xf2kpCKDlkuxDkjZ7oFo4QleklV8LOqhfYTItZEwBbaUvAnMQDG7Dqw X-Received: by 2002:aa7:81ce:: with SMTP id c14mr9651623pfn.51.1551917044858; Wed, 06 Mar 2019 16:04:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551917044; cv=none; d=google.com; s=arc-20160816; b=J4xT8wPkyyYM700/7rwbn7NOuRH7TC6nrhPlYLkje40U603a2VFyyjdWkRRyzAT7m3 zwd0lanAb0HGsEOSep5eApPyn6qN4DuYOWAO7CWut1+Exs7kkuta6ahKvU3RgRcLihOs qY7SPYOrW5HdwflqCWTc26nIHx0sZopfrYWosrVvgoDojfdkrPE+htvklhfYh7GwxEoc PmZPg3gdPiqA3YqSOHqqdFMIukB27i4+LhkuR0nCq36nJAnVWjZfvbqYiRMmvbg/jVjF HM3LbVUo/onwVPN17kUd6+EMx1TTsKtSaKbqrXX2YKZtpnprZo5m4Y6rqtMrgRdqcGgB /tEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=; b=Nx0x+3WTKL4H38bH7aY6vIpJKxM6I9MNa3v2dOt1ALeG2/Ql1q1G798fiVjQrY7VWf GWroK4x/1eYIoRIr18Pl3OCfc9RG5+GyZQ3r4yne8w8ODO7DINw1oETAtY4RZbf5dXF0 zetOAEXZS1w8RuUDfvqV/JuFL33NKFNcrj/2cAiMlSg3TNc+fS7J01dyjUm39LN1cxVQ CEhXPSzXWKJKZVApr4xls0Xcqy5AUGMYGtK+ZQcyymaSpfZ4K41Hory8KM2WFsB3MoRK ivuZnM2oZk7YitSsy7iGrxWELSzylH79SZKdshZ0iXz56Iw1fmh9njsIYlldhPTWZa7S I5GQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jvy9XixY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t23si2730281pfa.64.2019.03.06.16.03.49; Wed, 06 Mar 2019 16:04:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jvy9XixY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726767AbfCGABc (ORCPT + 99 others); Wed, 6 Mar 2019 19:01:32 -0500 Received: from mail-pg1-f202.google.com ([209.85.215.202]:40750 "EHLO mail-pg1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726514AbfCFX76 (ORCPT ); Wed, 6 Mar 2019 18:59:58 -0500 Received: by mail-pg1-f202.google.com with SMTP id b12so14130245pgj.7 for ; Wed, 06 Mar 2019 15:59:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=; b=jvy9XixYDMESBeGWm629iKWhW8u6ZS+rbPdR5wFtrAIoXp8X0Beq3w6n9KyLdUkrEq U63Xvyad7Y2Q/32lkLHR03jfxaTv1aMM6jOMrm+qmSWsxn6HOXHbRagx+eFwYySF+REa UvvUtrvxZCVpZjqOjHgIRFt3+/RVxukTl1nBAOBD3QTYdcuOr1gkmHZLxOR1/uxXUCUB XKOw9aEXXoB43Je4RTizkOm1OKKJ6GtN4jTQwKuHHOnEq8cLkxcX/rJCOdt7uTjtegeQ BUrVwanlHU9YJL5/dubEUv3r1m1tGqaggbRYbI2azMRSGJ5r+iChhYPnXncDsifN1LDg GaUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QDpkt2iLJaW7UQwtu1XuZ4vl79/9VRxhowqTd8n/Fpc=; b=Oe6GU6H0AD3QYAYWec39EB52rzl/FuMv9uBaMHsTRtMCip1yV55pLJ8xVIVH1jiMct ptXIWOeyBgoG6UHrAxWPVj6heiYCbLBtheLam9tVZJMVm4ClHY9LDLJHVB2zTn6F1vFG DUB2u/A0HL3P4o1VCra9OrZmBnpj6gmWuVci3vZ/VKlx1/2miMzg8osKPPDhpLUpNw4R 8fnD5glsdh6MsZlDC6Hkn8blb/LmFsabzS9JLG+XY0WKMFY//BsPers22hQZftP3RCHH yZ4vNZiPGgis12+9Zy4hpAryKx1ALJTW/6G83dfX81XB/MDQu8gnWs+A2pwufEsDv0p5 Hs3w== X-Gm-Message-State: APjAAAXUpUmH8muQZmVZc894dvO1oH+PDJwAywTBD6066IN9yNvSc1Qf q0LLYQ6p4Or7Z0D5dCVeZY9kj5AnFQPE/9ZSm/BdxA== X-Received: by 2002:aa7:8259:: with SMTP id e25mr3957696pfn.99.1551916797433; Wed, 06 Mar 2019 15:59:57 -0800 (PST) Date: Wed, 6 Mar 2019 15:58:58 -0800 In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com> Message-Id: <20190306235913.6631-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190306235913.6631-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 12/27] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Thomas Gleixner Reviewed-by: "Lee, Chun-Yi" cc: x86@kernel.org Signed-off-by: Matthew Garrett --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..abc702a6ae9c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm"))) return -EPERM; /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("iopl")) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | -- 2.21.0.352.gf09ad66450-goog