Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4546998img; Tue, 26 Mar 2019 11:32:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqyuxeDzGBEjBXg14KqJnfsDTK3gsUjDHXJofCY/EPYGkYLKNaaSppAIwpfhNzGzvdbv0KBt X-Received: by 2002:a65:4549:: with SMTP id x9mr31109492pgr.3.1553625163572; Tue, 26 Mar 2019 11:32:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553625163; cv=none; d=google.com; s=arc-20160816; b=cBGK3MYiusoHieEqeIQNQX8Dj3cAoVT3OwiSfc5GQo7mOOkLLUv/As8EUuH7syvnfF 4qV8V3edeY3e8mVT4tsYZ7cDOdK+v8clNnKh8tfmT44vnj6oOXD0ll6DJmDCY+8pWEEG SvPE9otEqPFm9x/48/7N10z3LHyEYqrrqtpssngsJj2YAoh+Uxl0xND/FIxvK4RAwWvh yKT1b5NmMZ9bMN0irBaAFABMud0fLaDwQCIVY9fvwqVbcs6lO06S2guCoNUZrJEmKYTl dsYF2wthvY/Cgly9LGKfY4mxWIOR87RA7w84ULaKUBHhd1DxVtiPRjUAcNktNK8GvV/b iDjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=; b=LQr7yDrpYIWKVT8rkFy+pBbyEZZpsWJXt03RgFKU8rBbreHjk1xthoAkIuGfzUHmXh N6e+kQIRBaoYm3mPeNMiJlsnOt3Cz4SGBdMzR9qISUGsjWa1rHknUP1lLChw6/yjrQBl Ns4WUc9PUqV31biqZLni96a1Vhb1d+26/zL0K61YkbY3J+VtI4zVw6dRbCvtt6Bt4baw Kp5s6/RzC9b5zt2a4jbRmKMWwb7PQhiOv5uHbUi7S6MNAoApUf16SqDhRouGFtc4Ks52 pVs7hyKAniE0J1Jqo8Z8uKZ7utq2wm7uGJceqExZ4nMPMxc0E46WrDQpuu33QWIXszrO GkSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Yz7oOrcD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j71si16917400pfc.280.2019.03.26.11.32.27; Tue, 26 Mar 2019 11:32:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Yz7oOrcD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732703AbfCZS2Y (ORCPT + 99 others); Tue, 26 Mar 2019 14:28:24 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:39585 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732686AbfCZS2W (ORCPT ); Tue, 26 Mar 2019 14:28:22 -0400 Received: by mail-ua1-f73.google.com with SMTP id v5so240942ual.6 for ; Tue, 26 Mar 2019 11:28:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=; b=Yz7oOrcDdKUM0oYpsGth5oCv8+Sc+iqvbZ8HKnhPKCnBF9rUHCL9szQCMAPU1PE8KZ V5oNz+OBCLawb6XGwCVNO/3W7ZIGW6CJqa38iNh+smM0l3Mf3WI096uUxVztD+vMlcy8 withllnQOAKuH6gF0+c6jcTe8VCipjbIFvdZQ3SG7qlyXzoR+Tduukj9v5gmr817WjTN 9qDDUFYKJxhZTZ6Uwfhk7qeYMwY0kNDGpr/Xub4PUqKY1bIS3otzcyj76HMmWPO1Cupi V7GyBI5YYjxdJUAmUSXaa8vzKtz1GNVChjlfHcl09ljj04vfopWnPSjdHPO8UC5ktyD4 6Vaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=m5EpQp8h0Y4rOl6Y1bbFAZQnIUUjTzjUqWwPJEltX0Y=; b=KDP0LuTwCOyYfCbhSKIIBxhU8EX0/tfoS+rSwHgfD9rVEFndd2U+SsJIQX3vtOM26G hl7cxKawb+dRns0kK2JpfYwKj9W8YuNM2c+g9M2AK/4cLdoPk3xH6Sc8ZDDPLua3ex5x XSmhMoroDIHJnAGWVko3D+kcJ1UFa5l9vzRZN8ol525RF1Po15D3kl3x+BKYZ5O5B4A/ 9MO/pdQ3qKoiade77fIYD5TAV3hvMhL1NgYuvxXtyFTyYTD6u9t6gnbhbNmQ/Xyarmpr DqOGa8iUqDPeHuw9OFKW5wStCpZAt3eWC1HYnfkUxfdTps3Q97cAzpogMQMh1TqOW60y 3e3g== X-Gm-Message-State: APjAAAWpUL2PP1NfK34caFnAQY4UMP6nO3p10NZqIY+68n6WkLBp5GWu wl7epc3SwU4N2dp+KVfjrm8TBlI1Z2YxCv/TZr0i6g== X-Received: by 2002:a1f:a4d:: with SMTP id 74mr14878315vkk.13.1553624900606; Tue, 26 Mar 2019 11:28:20 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:26 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-11-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Bjorn Helgaas , linux-pci@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to paranoid - in future we can potentially relax this for sufficiently IOMMU-isolated devices. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Acked-by: Bjorn Helgaas cc: linux-pci@vger.kernel.org --- drivers/pci/pci-sysfs.c | 9 +++++++++ drivers/pci/proc.c | 9 ++++++++- drivers/pci/syscall.c | 3 ++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 9ecfe13157c0..59d02088945e 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -905,6 +905,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { @@ -1167,6 +1170,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, enum pci_mmap_state mmap_type; struct resource *res = &pdev->resource[bar]; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) return -EINVAL; @@ -1242,6 +1248,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + return pci_resource_io(filp, kobj, attr, buf, off, count, true); } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 6fa1627ce08d..85769f222b6d 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, int size = dev->cfg_size; int cnt; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (pos >= size) return 0; if (nbytes >= size) @@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; + if (kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) + return -EPERM; + switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); @@ -237,7 +243,8 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret, write_combine = 0, res_bit = IORESOURCE_MEM; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) return -EPERM; if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c index d96626c614f5..0669cb09e792 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -90,7 +90,8 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, u32 dword; int err = 0; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) || + kernel_is_locked_down("Direct PCI access", LOCKDOWN_INTEGRITY)) return -EPERM; dev = pci_get_domain_bus_and_slot(0, bus, dfn); -- 2.21.0.392.gf8f6787159e-goog