Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp683968yba;
        Wed, 3 Apr 2019 17:34:36 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzCMpd/KsOAOI+GQ0iZ2FzSMhAb7k1X7fTPcFYFbnWexwrY3xPUSnkchVFZDtfsirkRvdQM
X-Received: by 2002:a17:902:7883:: with SMTP id q3mr3199146pll.60.1554338076043;
        Wed, 03 Apr 2019 17:34:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554338076; cv=none;
        d=google.com; s=arc-20160816;
        b=es35pctmloD8hs0VyZYGbLMFTNS0VDdRK07a8bkE8ZwJdbiMtoKh9e58UMopcCA8Pz
         8vo/3vCsyhqfvp4jQ1OCdPzwRVedcJK+gSApXzqyWYlqZQYctEETxt2vihM0XnvhqKH2
         rN2PuPmhwPnFInAZ2tZV/yMoqbKafJrK91RGAXT5Wi9eU44YU0L1DlQLm2GP2YUrCBxZ
         WmgVSB6Vv/n4JTQl8DZqw5oEoxRCNP21aZtbTLO9dcE1SQacdQEJ+o2kSHW1hqRg36qz
         BzxLJ6OoIUUqR1KLXQxqIbipiAG52e3NSaCFGuCQfISkrpWHEYVSSkg8K7NrOr0rY4/k
         OTWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=;
        b=kgi1FKUueXW+3RWq/mLBHLwjuXF/KYUfdJDGOaj3Kivj8A6tCc0dTLea/pnJPB9qn/
         Z9m1dybudjrBWdEA9O+sUs1ig4Q6S4lID6uuaJgjeYDOoK3Xe/gs3KkCkbSn/ef09Fsb
         pHTOx/WK07f7pT8uvq0G0jXj+r/FvA5B16XMrxI4G2CiaOAhkcd+e8TlAyMAQ4ZFy5aL
         FoZ69g1pXR1jOu1mQUBn5O4mRpU+jQEo10dZhp81/QFz0cpoff308ttWjkZponYEzv5d
         r4YR76EoghCGmQEAmKA7NtIGUaxd5O+TItbShTtJHtycpFcR/xcC8KuBXm6jgtxd4iyp
         u7yA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QRSZ0exP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y4si8666290pgv.154.2019.04.03.17.34.21;
        Wed, 03 Apr 2019 17:34:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QRSZ0exP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726167AbfDDAd0 (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Wed, 3 Apr 2019 20:33:26 -0400
Received: from mail-vk1-f202.google.com ([209.85.221.202]:53726 "EHLO
        mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726880AbfDDAdX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Apr 2019 20:33:23 -0400
Received: by mail-vk1-f202.google.com with SMTP id q204so423814vkf.20
        for <linux-kernel@vger.kernel.org>; Wed, 03 Apr 2019 17:33:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=;
        b=QRSZ0exPdykYG3cj/sT33FZBrVPjgVKfkWxlUaPoJlH+1DajR1vVTmcbDfFyR6avby
         Wxe4IX3n1oC3chdRudvb0e+ylQ28+iwE2YhKNTqQlSkzpMHCx9hqehJekQmQTDokmLzD
         mUkkVXl4ZFfV+2k1VnSAdGJSBoZXckgW5Np1Wb2y03jTR/jTtQomaIxjwojXJpKhc54d
         RbmFl9S2XnDxKq1OmSjsZastyUtz1ogS5H3eMyo7zoETL3YfYxiJLoRJeAiH5J3BOuFd
         S1pbxEnJEOyBQJoBiT363sBxTIMeCic0LZm2gV8woq1tCeca4SEbm2+knVkM1qWyvagC
         3IUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=;
        b=aq3z+/oFWq0vO9lY19Cy3qe217ObNVU/BOvikCvWLaCTU86qwa2cYmONnOk/zQGuqk
         gGZMfnbvn9SQoBEu/u5MpoU6ebCP6AxE9UW3XvEOwACuc+DNAtbn0GAYQR7026+KHtnf
         Nm3MmHdkHqgF2CEKRAr5bzsmSajri+4k6YxD7hjUI9ReGcYSTMxtFtBSMsOiVMhSH2RX
         BqZO+zqW9Y0aVIhfrXb6aO5d1x9BuLDcJ8P7NW/n3Lia5IPWbY1YQWTsjBHRqaenKuAT
         1UNr+r4tE4+WS8dQ8PMosItkfM0fPFBChvwmah9U4Sjz27ArfivP6q39eOuQ5VZ59W2t
         OP9Q==
X-Gm-Message-State: APjAAAUwB8uQ9cvsSM+uRvDVcBEKYWgTaaYsyAIqV9iVIdIAL5MIqWb2
        sld43iOInGjXFnv+HYoPbIjEWzNSLVNIJkodVRJ0iw==
X-Received: by 2002:a1f:746:: with SMTP id 67mr371895vkh.24.1554338002654;
 Wed, 03 Apr 2019 17:33:22 -0700 (PDT)
Date:   Wed,  3 Apr 2019 17:32:33 -0700
In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com>
Message-Id: <20190404003249.14356-12-matthewgarrett@google.com>
Mime-Version: 1.0
References: <20190404003249.14356-1-matthewgarrett@google.com>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
Subject: [PATCH V32 11/27] x86: Lock down IO port access when the kernel is
 locked down
From:   Matthew Garrett <matthewgarrett@google.com>
To:     jmorris@namei.org
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dhowells@redhat.com,
        linux-api@vger.kernel.org, luto@kernel.org,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Matthew Garrett <mjg59@google.com>, x86@kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Matthew Garrett <mjg59@srcf.ucam.org>

IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.

This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and
KDDISABIO console ioctls.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: x86@kernel.org
---
 arch/x86/kernel/ioport.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 0fe1c8782208..febbd7eb847c 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
 		return -EINVAL;
-	if (turn_on && !capable(CAP_SYS_RAWIO))
+	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+			kernel_is_locked_down("ioperm", LOCKDOWN_INTEGRITY)))
 		return -EPERM;
 
 	/*
@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-		if (!capable(CAP_SYS_RAWIO))
+		if (!capable(CAP_SYS_RAWIO) ||
+		    kernel_is_locked_down("iopl", LOCKDOWN_INTEGRITY))
 			return -EPERM;
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
-- 
2.21.0.392.gf8f6787159e-goog