Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1236848ybi; Fri, 21 Jun 2019 17:04:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqweQ6NBuaKNvYdznwYGH7ImT7WKK8Jg3S9Rr+hps7yD+tI+ZdycjnnKM3yPxuMuP3CxyQ7h X-Received: by 2002:a17:90a:2ec2:: with SMTP id h2mr9939047pjs.119.1561161885808; Fri, 21 Jun 2019 17:04:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561161885; cv=none; d=google.com; s=arc-20160816; b=aFLeN6pweEum6plubwQY4QIRg5YbIFxv8ovE/ITGFDWK2j+908NAOZ+/cswNEqrhuS C/VYeuWIzePYsvB8fJfZivPHQWj2JpSn+V1Pv4jAWufhViPjslXwpzUyS+1+ZGIp1by/ WnweCOgGBmNF3XTNOq3vK/gP9fNdRxMc8gNli9Oi+IoxvSO0B9aizMymgELgv1+J8YEd olQnl3MuEMSoEhBiu61i2jqytnFZeqL+IoAmsJWXsG3VuMSQUlCysit6VdkqrbO98v0A MSfJzGzn4OhPjP1tEPV4w47FlOS7XUNHJvJpHftT5eHTV0ke5yDAKfACdylDiJJZWKb3 LyRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=/+3/eHA+dSCIdfxEbsEJE5ZPu3YcdHs14Y4qiRI8qP0=; b=IZXevwynr/cBm+a8i2yYjLmSXS5A7j7LagmRpaPMoVvTLVQxxQ8W09hhi82WAaCBuz Tc7E3hDI9DYO6cVcesAu35g06IlFpCXFp/plFhi5EsmjX2FydAca1o610m7lPlVudWUC HnrYXjtPj+8LMxzdVenuqewNorZ+FoBF1DNnWP4r05IujXCaLwKBrhrCkQ2uXuj/DxZ8 QibbjGTY6OWtktfaz70HHxXYuJaQegPtNpaI7b30Ia+hIpQY8+WoVBASate1SzUfmGcY aT1zei1pYYvwelAV+pBwTWK1Gvf5QCefRraw/UHMx4gesCqF4rFH92c/Ejhrt4TUbBsF Y2Fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NHPhigq8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y1si3930832pjw.102.2019.06.21.17.04.30; Fri, 21 Jun 2019 17:04:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NHPhigq8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726505AbfFVAEQ (ORCPT + 99 others); Fri, 21 Jun 2019 20:04:16 -0400 Received: from mail-qk1-f202.google.com ([209.85.222.202]:42664 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726443AbfFVAEP (ORCPT ); Fri, 21 Jun 2019 20:04:15 -0400 Received: by mail-qk1-f202.google.com with SMTP id l16so9408162qkk.9 for ; Fri, 21 Jun 2019 17:04:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/+3/eHA+dSCIdfxEbsEJE5ZPu3YcdHs14Y4qiRI8qP0=; b=NHPhigq8H1Po8LVtH5GbIbnsfNJsBGYMYY2gEq3zllF27oLua38Vj9z3wa+okf8okb pWH8iQupEO8ZFxTX+7BkdVwPl9krXRrBOrM2ceSMETStMsli0y5kRfGaoJeyAfmxsGYs o8uSDCGcI305P4/xETNJWHi1axbKmmzz8veJll2OP3L72Jegea7jCAMBcOnplFMrmN+K ytNo4+f9k5qf7ZV83nxVq8Qpj3r4HNyoA67wTs19qVwB1HYRsUq7H7CtagwoBI6KNa8x POTZqxmWt7TQDlbu9VSGvXTAtI7pnzKL+/L/HA38N6Itp3uWcvomSdNGbKbv4ZVcDhbB 7eeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/+3/eHA+dSCIdfxEbsEJE5ZPu3YcdHs14Y4qiRI8qP0=; b=Cq4LViCVGmuZIFxjQuzwGowBnDOpUhyPxu8UQnb4ln/UDaXLe5Kua9D5Zsi1sAA8QT LIDlzWJdcfbbxdrP1U/F+9TD/h8YN9TJvrLCJOVrYwjh5r2L5G3cI5MMFnSgkZbunE5w JIl5/PnDgNaB0kxzHfmdChWstViVj/fsKcR+QDRDDl5fXsJ5ADTalO5rM4Jv5eaCnwjZ udVySAXcdy4LJXOLLJz0qs+T4HnHvUNexYPND4WLOml4p7DiSb6Bq+lKulNvBHxxIlWi oZZrAUEbuIqf10NtwgduQKd5bfOjNL48UPmi5zsmOVQNXJzPNz77n6oPc1MWdbEqFpbE eDhA== X-Gm-Message-State: APjAAAVWRA01XRIwvTlH5ujXbDc/pQwjOBwMc1EjS1LmWHUP3w1HYdHb awoGuYMg0Cqyj5RubWepMrH28IxB9x0aMQ/WQcrpTw== X-Received: by 2002:a37:a152:: with SMTP id k79mr7772332qke.411.1561161854063; Fri, 21 Jun 2019 17:04:14 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:34 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: x86@kernel.org --- drivers/char/mem.c | 6 +++++- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..93c02493f0fa 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,6 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + int ret = security_locked_down(LOCKDOWN_DEV_MEM); + + if (ret) + return ret; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } diff --git a/include/linux/security.h b/include/linux/security.h index 46d85cd63b06..200175c8605a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -83,6 +83,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 25a3a5b0aa9c..565c87451f0f 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog