Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3662489img;
        Mon, 25 Mar 2019 15:11:43 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzGTJjRCyhjXZnocpWdV1dfKgywlxnNQIa+s0fsmnjgFQ3uTKKaSOMMq/rIWbtTsoudWucv
X-Received: by 2002:a17:902:396a:: with SMTP id e39mr5615951plg.220.1553551902976;
        Mon, 25 Mar 2019 15:11:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553551902; cv=none;
        d=google.com; s=arc-20160816;
        b=OFncft+SVTh/R1NBKitxwSJb0sdRJ5IESZKBHOT0Rygg8exwcD+dCu0wnlui2N8IEL
         42FGJVOIL+wBlxe4MdKLve++g87YPyG6Y7O6fOuucaKSCc9ilDG8hZB3EEyKdEu1svpC
         Ojuq6OFN+fdfRmE+drWopfks3BUIz1TwHgbEyBFekuX/PighcQi2WkqLTUU7Ee/pWvYh
         ubr9LPDHoIwlMjtpZYDp/Oro6RT7SoB7BfMqO9ZssiKvo74M533sRYIYRN9NQB52nwfX
         nGZQAEXNpHeqs1gI5lSstsBu2f/rGxmRPk7cn/S2MnmonPrmgl3V6a3kVI5XFCJeEps3
         iXfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=;
        b=g5LgBCclLMfy4PX00bH5o4KjeDf5m0VcmpctLkYFrlmPep6PI7H1NqPOuV0A4WlqfS
         6on8LVFszqtahHIIikbt/fhDGDrsTvoPAhZN6Skd1c6gswjbqYCfQ2msQYYhYU6ZdWVU
         fP+pCxEPROq8/7s9WjaxwCKJBc6p1kLZuM9p1O0GO5aSNfhxEJQqWXe3VcRhQWT0SR3B
         mNQ40X5LMlfLHEqcToeff9k2gl2YEjar2+m+0NXxWwSj125hQfYnyAbj8mRDC52yx4dd
         VvxrcUFRyM7PYsg/osaBamA2aVb4WlVOsg7IdzTocNiQ1Ao1J6AnAuneRVQ/TFf9aQTm
         CwUA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=EXK8l7T5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d36si15820114pla.425.2019.03.25.15.11.28;
        Mon, 25 Mar 2019 15:11:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=EXK8l7T5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730970AbfCYWK3 (ORCPT <rfc822;deadfox.tw@gmail.com>
        + 99 others); Mon, 25 Mar 2019 18:10:29 -0400
Received: from mail-qk1-f201.google.com ([209.85.222.201]:33081 "EHLO
        mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730930AbfCYWK1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Mar 2019 18:10:27 -0400
Received: by mail-qk1-f201.google.com with SMTP id n64so9964334qkb.0
        for <linux-kernel@vger.kernel.org>; Mon, 25 Mar 2019 15:10:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=;
        b=EXK8l7T5cYfGiceftgkWGkN1G8A9oXteYG026SSL6tDI1FBBwP+joPkSAzs8YW9xhz
         NQ0CKWgD++O3K+ekroOkINAJMOrOZDJSU66JgvsVSh2PbLMX1olcD0kVRMWeiYERFYkS
         Cv2m2rSyv/k280NI7fC2mxmwSbrCoQugjaofRMLfhriI7h8oOba1lIwASidwkAk9hRr8
         TSRxtrkRHH+YaJaNY1KBrfNUa+nOCt4o0S/JVKDA3vaiZsvIC2SzTYnNTUVROEQTV5M+
         t5yTJG/8OV7Fnkp+2G1OIZbJGpI+tRE9f2VZ93vrU20ko/BqyRK9RJg/bArvjqE7M/QI
         sxWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=;
        b=hIK4gEnMnzAz8ZuqF51jNVzS4FxmPoXCRWx7I2ToE3piZ1RHmawlaa0KAUjuboS9BA
         ObpXnPkeQQwaDULuj8hq5nDg+VPGBUNHsogR3OIjOhR2YwlJlT1o+d6fXxrW7G6QCV9o
         pshqkC8ja9yJIojHdWj6TgDAR24EMzzNdpDEBFGWN0EWGnJ2iA4CEm6XXQCoexARPdoH
         2xn+BV819oAKQUXvHTqDpWtFp4glUfK4Jl9ScptnA+2EwXFjBL1gW7F4UCnQSyeF/AY/
         lCOl9pYiZ+8jnkEQy/hRCJoXHjB0yaz70tzd/MZMB0Po9WyRdWRhYY91Fjar6jA+VVda
         eORQ==
X-Gm-Message-State: APjAAAWPe0DcIbkFTOYoSaKX7K7dehSpS1PyvsY7zU74DU4oK1uGZk9b
        LfOqhpnWzqmMi8x0HPxrmCv5nzMEXS6X4KjGz1aRRg==
X-Received: by 2002:a0c:947a:: with SMTP id i55mr22757441qvi.223.1553551826807;
 Mon, 25 Mar 2019 15:10:26 -0700 (PDT)
Date:   Mon, 25 Mar 2019 15:09:38 -0700
In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com>
Message-Id: <20190325220954.29054-12-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190325220954.29054-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Thomas Gleixner <tglx@linutronix.de>, x86@kernel.org,
        Matthew Garrett <matthewgarrett@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Matthew Garrett <mjg59@srcf.ucam.org>

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.

This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.

Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
cc: x86@kernel.org
Signed-off-by: Matthew Garrett <matthewgarrett@google.com>
---
 arch/x86/kernel/ioport.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 0fe1c8782208..abc702a6ae9c 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
-	if (turn_on && !capable(CAP_SYS_RAWIO))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+			kernel_is_locked_down("ioperm")))
 		return -EPERM;
 
 	/*
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-		if (!capable(CAP_SYS_RAWIO))
+		if (!capable(CAP_SYS_RAWIO) ||
+		    kernel_is_locked_down("iopl"))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
-- 
2.21.0.392.gf8f6787159e-goog