Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3662489img; Mon, 25 Mar 2019 15:11:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzGTJjRCyhjXZnocpWdV1dfKgywlxnNQIa+s0fsmnjgFQ3uTKKaSOMMq/rIWbtTsoudWucv X-Received: by 2002:a17:902:396a:: with SMTP id e39mr5615951plg.220.1553551902976; Mon, 25 Mar 2019 15:11:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553551902; cv=none; d=google.com; s=arc-20160816; b=OFncft+SVTh/R1NBKitxwSJb0sdRJ5IESZKBHOT0Rygg8exwcD+dCu0wnlui2N8IEL 42FGJVOIL+wBlxe4MdKLve++g87YPyG6Y7O6fOuucaKSCc9ilDG8hZB3EEyKdEu1svpC Ojuq6OFN+fdfRmE+drWopfks3BUIz1TwHgbEyBFekuX/PighcQi2WkqLTUU7Ee/pWvYh ubr9LPDHoIwlMjtpZYDp/Oro6RT7SoB7BfMqO9ZssiKvo74M533sRYIYRN9NQB52nwfX nGZQAEXNpHeqs1gI5lSstsBu2f/rGxmRPk7cn/S2MnmonPrmgl3V6a3kVI5XFCJeEps3 iXfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=; b=g5LgBCclLMfy4PX00bH5o4KjeDf5m0VcmpctLkYFrlmPep6PI7H1NqPOuV0A4WlqfS 6on8LVFszqtahHIIikbt/fhDGDrsTvoPAhZN6Skd1c6gswjbqYCfQ2msQYYhYU6ZdWVU fP+pCxEPROq8/7s9WjaxwCKJBc6p1kLZuM9p1O0GO5aSNfhxEJQqWXe3VcRhQWT0SR3B mNQ40X5LMlfLHEqcToeff9k2gl2YEjar2+m+0NXxWwSj125hQfYnyAbj8mRDC52yx4dd VvxrcUFRyM7PYsg/osaBamA2aVb4WlVOsg7IdzTocNiQ1Ao1J6AnAuneRVQ/TFf9aQTm CwUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EXK8l7T5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d36si15820114pla.425.2019.03.25.15.11.28; Mon, 25 Mar 2019 15:11:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EXK8l7T5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730970AbfCYWK3 (ORCPT + 99 others); Mon, 25 Mar 2019 18:10:29 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:33081 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730930AbfCYWK1 (ORCPT ); Mon, 25 Mar 2019 18:10:27 -0400 Received: by mail-qk1-f201.google.com with SMTP id n64so9964334qkb.0 for ; Mon, 25 Mar 2019 15:10:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=; b=EXK8l7T5cYfGiceftgkWGkN1G8A9oXteYG026SSL6tDI1FBBwP+joPkSAzs8YW9xhz NQ0CKWgD++O3K+ekroOkINAJMOrOZDJSU66JgvsVSh2PbLMX1olcD0kVRMWeiYERFYkS Cv2m2rSyv/k280NI7fC2mxmwSbrCoQugjaofRMLfhriI7h8oOba1lIwASidwkAk9hRr8 TSRxtrkRHH+YaJaNY1KBrfNUa+nOCt4o0S/JVKDA3vaiZsvIC2SzTYnNTUVROEQTV5M+ t5yTJG/8OV7Fnkp+2G1OIZbJGpI+tRE9f2VZ93vrU20ko/BqyRK9RJg/bArvjqE7M/QI sxWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=kOBn4Vsz7+t5uoVUQ5YrfNtYfxZHot9P0BHurCwotW8=; b=hIK4gEnMnzAz8ZuqF51jNVzS4FxmPoXCRWx7I2ToE3piZ1RHmawlaa0KAUjuboS9BA ObpXnPkeQQwaDULuj8hq5nDg+VPGBUNHsogR3OIjOhR2YwlJlT1o+d6fXxrW7G6QCV9o pshqkC8ja9yJIojHdWj6TgDAR24EMzzNdpDEBFGWN0EWGnJ2iA4CEm6XXQCoexARPdoH 2xn+BV819oAKQUXvHTqDpWtFp4glUfK4Jl9ScptnA+2EwXFjBL1gW7F4UCnQSyeF/AY/ lCOl9pYiZ+8jnkEQy/hRCJoXHjB0yaz70tzd/MZMB0Po9WyRdWRhYY91Fjar6jA+VVda eORQ== X-Gm-Message-State: APjAAAWPe0DcIbkFTOYoSaKX7K7dehSpS1PyvsY7zU74DU4oK1uGZk9b LfOqhpnWzqmMi8x0HPxrmCv5nzMEXS6X4KjGz1aRRg== X-Received: by 2002:a0c:947a:: with SMTP id i55mr22757441qvi.223.1553551826807; Mon, 25 Mar 2019 15:10:26 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:38 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Matthew Garrett , Thomas Gleixner , x86@kernel.org, Matthew Garrett Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Thomas Gleixner cc: x86@kernel.org Signed-off-by: Matthew Garrett --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..abc702a6ae9c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm"))) return -EPERM; /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("iopl")) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | -- 2.21.0.392.gf8f6787159e-goog