Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1238456ybi; Fri, 21 Jun 2019 17:06:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqwegJ7YZQUkessH83uhSUSCTUbTa62b60g+iVSMjfePK+Jx9Hb5gfwksjZy23X7sw9E+6C5 X-Received: by 2002:a63:6c87:: with SMTP id h129mr21518180pgc.427.1561161996967; Fri, 21 Jun 2019 17:06:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561161996; cv=none; d=google.com; s=arc-20160816; b=hmyP8lznmkxS9yUxHvbaMPoOdr9muNKyfXmcgmOMP8CObLLzajvH+C+ay5bC1CLftm /f8X7O4XA0b5TRxtxLsPXGvUYdOwdSeiARUBxJzeqQ6rkDZQ/PIS8HcGoRqdFmLqqVWK 1lTT7V3J4HUSSC4EL1y8oyqb12HUMAVrCypiKTC0vQ56bk3pZZMi/n3G/GYcltYLyfFi tyVWsuOJBOUYEzJez5eK7VGPdPV9vWRcT4ylRYf4VyxgMg/bN3O3GUzJDERHSYWyiTpy d7hGpYkP3lh37ma3j1KC21NI79Eo+QhFGY3OJP4tCsbAwG0/yLQrrOvmwNMdIheosTRz 8tgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=KhB8k5EQ6oackeS+pjqoF9TX+2zbJEYkNBGyLQREeww=; b=pquSXPlup5KSt7CCrJSlALkfvWxI8/xDqR8fJcTXIiR3vZtWyxStkxSww/nkNa0XuP smGcLukU9rsmmDPaPdPijp6rsLEBiozHztOGCdRIjOamHozpTlO4qlN/JKcleSqih4UV 9d+JTNN7PFxUm6qIngIcmVQoQHnYQe7y1oJKpBnRP0y4BEZW5+CMfS7Cu0KtTlo7JUq1 SCJbR+OQgPyBWnm7MkTgfUKtdK1/3QRaZyC4EB4N54GPFeYBMVRimYhiH/nQXzRj2/L0 XOlsZRC/817hEuY5rpzvSXlrt/uL7f7RSSd/5I/7XeHPl328fEkxVpt2BGGdffoeCTnO idEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fpp37vrx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cp18si3828123plb.287.2019.06.21.17.06.21; Fri, 21 Jun 2019 17:06:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fpp37vrx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726797AbfFVAEk (ORCPT + 99 others); Fri, 21 Jun 2019 20:04:40 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:37939 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726689AbfFVAEd (ORCPT ); Fri, 21 Jun 2019 20:04:33 -0400 Received: by mail-pf1-f202.google.com with SMTP id e25so4175786pfn.5 for ; Fri, 21 Jun 2019 17:04:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=KhB8k5EQ6oackeS+pjqoF9TX+2zbJEYkNBGyLQREeww=; b=fpp37vrxC2zzNF4VYXnqpXLxv/GRJVI9czcu5CjPcqPqIYiLaMJlD2Vk/Uwp7TAuhD n8W8D3vPD+8NKZ3to4ocFRbsjD84dm2a22V7a9tan3vAnDLizMLJQHkgJt0aHe5SGXsI 4ecUre6B5AxnZE+Tf2Z1k4s3s82h4dFaNiLPB4pJ66yJsjbx9mkKA8Q/A41O+blCEUPq u0OLJipGcviIsNscneNUdtsGZnCMbcYLcghvwelZ8mrEOqWwO5LcJ5pugOLcew54PeI9 p1iCj0LwWuUUDpV7f4UipuTFmNRpd7DYGG1Qt9G0H0nxcXT/7VuiZkdItcOYIzxoQC+b Datg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=KhB8k5EQ6oackeS+pjqoF9TX+2zbJEYkNBGyLQREeww=; b=crzFyjhKNZ5n6ZbBN/h9LZOQGEnyVjL5ZBF3wsm8CWldCbJAtFBardO/i+jLlapQeY P1rOm31NAMaQOtErkXlfMVIUJUcLDWyn3PRxnito+yUGd72VS1glR7QVlV8JzNAtiqy8 4DSOTHUgQycTo/zZMSVXEiSoZR/jchp7Q0FP1BCNGQYh8MgNtSx9QzMlRKKnU36LBXDC P16uME1VZ1glYISeS5XNq55y7E554n8LMcC6XVafWquCZ/BrlX8MnjWYRhDh8u21i0Yw wsImhjV+ThnfKjYbpV6EsLkfNSkfD+4WIlnZTLRLmPzMuwNbFVhamhoP8ybI+/GYQhJG +pXQ== X-Gm-Message-State: APjAAAVfoByaEzENOiIyo54/nEApjsLSGz2EwoOwtiYBMmzBNA/mf7f5 hxQDOHl5JHaKJy50wVAdUaHpd2Ta28ce/wk/dgFoDQ== X-Received: by 2002:a65:64d5:: with SMTP id t21mr21487870pgv.310.1561161872026; Fri, 21 Jun 2019 17:04:32 -0700 (PDT) Date: Fri, 21 Jun 2019 17:03:41 -0700 In-Reply-To: <20190622000358.19895-1-matthewgarrett@google.com> Message-Id: <20190622000358.19895-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190622000358.19895-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.410.gd8fdbe21b5-goog Subject: [PATCH V34 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 1b849f10dec6..60569b7e9465 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -87,6 +87,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index e2ee8a16b94c..895ef3ba1b4c 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog