Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp83940ybi; Thu, 20 Jun 2019 18:21:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqzxE55YpivEPHu6BbM74E242ckKz+6D48DbZHmQT+bHmuh7VNi129CGlQw+i5ekQSHZO358 X-Received: by 2002:a17:90a:950d:: with SMTP id t13mr2801357pjo.81.1561080101749; Thu, 20 Jun 2019 18:21:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561080101; cv=none; d=google.com; s=arc-20160816; b=zKImHNWkdLP2IvIslH8qrjR1i+jc4GVBGJ87my5Z5FNr0KS230pfKWL2BYRPpzfs6t kGp1uN5LSmuFHlxs7f9+J7CYuY8NJcnG21OCQplaQXRa/DZTX3iZmR69pbjjHcHW+P3u lBXZGY01X/0hcMr+dbai/TzKvdpFMoSdlNym/qHV25KkxaBAx04nVHcD23A+NPkZPg8/ ZAvjial0SQcXILat+ovKNkck+xT3PoDjke7rVOyu9mRme0d6sdrg1ppSUVP8lictvJ/o /50GL20WveeYDC0NmO8N9mhn6bN2nyf0d5H4szo1KU+w0dslbGWxhZ6VWBRo11JQOvPj 7mIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=CzBxgMlxffTA0lJ5WOaB1QtnT14VCitT8JguNCecpUw=; b=TqPJUxmzTY8Rn/ZMxKdohT5ceJmuhlU3O0Ns4gJ23yBQnRvQTmd2KSRj92tH76Ta0i 90gOVBNVA5DI4R4IHq9O9aSuBMlq4mPdAqk/GY5EMrmN60o2YytfizRFj2a08hc+2hph IY7EUKmDxv7SEK4zOXxVIEmrC22cuMhxv/MsI9ZXi2+L4iVytxYzn8PgYUqrJvxvZ2aP eCwBqvvt3n/21XfqWyvS4DwNSt5dxX4U3lvfw/LSazsAEsUoDO8OIYNMA2qOp02mDznm MWPipvKz/syedMtQuJOG3p+ef8kQfGMvr7s89wEAK0/ow3cJRJPTA9u1pe9g6DtRr/i/ qcqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nfEv5GDn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w20si1173515plp.394.2019.06.20.18.21.26; Thu, 20 Jun 2019 18:21:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nfEv5GDn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726653AbfFUBUW (ORCPT + 99 others); Thu, 20 Jun 2019 21:20:22 -0400 Received: from mail-vk1-f201.google.com ([209.85.221.201]:55641 "EHLO mail-vk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726610AbfFUBUV (ORCPT ); Thu, 20 Jun 2019 21:20:21 -0400 Received: by mail-vk1-f201.google.com with SMTP id b85so1904200vke.22 for ; Thu, 20 Jun 2019 18:20:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=CzBxgMlxffTA0lJ5WOaB1QtnT14VCitT8JguNCecpUw=; b=nfEv5GDn7qzUEFAMik5m0jrcBfN7/vHJcWuqbj2vRyl4pepxUY9LA34VHUAktFemJa TUncVWKrSoPgIZoiMxUX5MrxFk0fqVIg+3NhDICooGFUPooEaDsgwXEYFJDrgBGHgX9a a4nYvBvXCeJ/diWDIJjX3sTOBX1STejQuLYZ8uoS5mAVGSzya3l7nz8q+n5fDIXHDkHA oDvumuHZMTWCFrQefeXaidW+ZBhlkOeKRbIVtWU697a2EiBPpmINDnQ/ZhJM7mYwV6wp KqcwiwWV9ma/4gILbOVjh0W9LtqiqmFhj1sz78sQ4GlRQS4oMeboKNmPL0AlFTn4G3cQ xkhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=CzBxgMlxffTA0lJ5WOaB1QtnT14VCitT8JguNCecpUw=; b=bmsbxrxPm9hq5zVbNAtNPTTlcHruOjir9AOk6kz+dUhUTC9zq3Tn1JUEdjW61Aw5vM vaaCjOB6khZ5xycU/YuqutdD0CSg6efQrrUbtkvYF4jzXhH/hEDfCR9baK/AndUWkP/2 tn3x+qzH3ZVhI0HkLWnMC7LciYeu9d4acXh+8xUrodN5X5Qt0HgY9uRlxyJ2kfQUSnTP QqjFQl/u+kv3spIpC/lOvvevdqD7Hdyh3bu1CalCUQeVhxAsGCvrLGkW+t8Hw7GARSSJ Du5hOnnSM2hyaO26ki7imES5/Aecne9QkdIFOcVaXzu5LsMrehiex0CqboABe8yZXWOs O5Gw== X-Gm-Message-State: APjAAAXhA5ow4vmfTiQlSyeSUnU4TRgtIuuvBaGVUiR9dXQbtQ8gAaG5 NwVZa+Vnjaa9tafmogeWvb3oxEgOPvaIq5rSZD/hNA== X-Received: by 2002:ab0:16d6:: with SMTP id g22mr76010599uaf.14.1561080020630; Thu, 20 Jun 2019 18:20:20 -0700 (PDT) Date: Thu, 20 Jun 2019 18:19:24 -0700 In-Reply-To: <20190621011941.186255-1-matthewgarrett@google.com> Message-Id: <20190621011941.186255-14-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190621011941.186255-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V33 13/30] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..ac0ba0b2f3be 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_is_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_is_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 95aa5ac1fa6b..59f0ac7adfa6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -87,6 +87,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index ae76a7cce7ba..6e426887bb23 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog