Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4684195ybi; Mon, 15 Jul 2019 13:01:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqwr+uHGsmnFmafa/9JUP5FaHdW6+icIMG4muUKzOxUw+h/luLbso4FyLWNE/2m9M14F+BDn X-Received: by 2002:a63:10a:: with SMTP id 10mr29196970pgb.281.1563220869553; Mon, 15 Jul 2019 13:01:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563220869; cv=none; d=google.com; s=arc-20160816; b=jpzRRwsweLSlSXujBVyDBPGKixuqarezTM1u9AmaghNBe6lY0BHGHbuAtRh/kF3s71 ZW9Dapxk9nT6Xr+ExQvX7osy2K8LGF6959XKPb0YD7v89+galrEiliSisIKLfwlLXWtP xvcIEsD3faj1zsmuw8OU55JGyv77hhXqSQEIZKHaICaoq/Y5a65CmLhWgIRopi8uXaCx KVLs88JWQEypoG9+YAMSB+Zx9TI+4Iita3/KuEvGsdqzbvPc8bTZrTZ0HU1NlTMRnkEv kAjY5EenobvabnDn58eQIV1bWfPLFidx+Pv7CHkzLltT+Vu+YvOf5bGlz/waXPXYrnh7 ctBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=oRvWsZp4PPUfRyX2ON14DSSZgIGsbQD9v/C1S79uaF4=; b=WgPSPLIfomL3uXaMq5kvxow0iiCsqmYfFSJJm2pUYImE94Dkl5sbDxOoohyB4BnR2R QrneccYuM51ny6uW2/A+jQYW5LDqR9SgB4yoDninPn/3kVi6Jpw/QMoe3jahBOm9w1Ef C9dfGY2xifUFQwnq9dmDg3tdtyPteXillkNb38AcKKP1X6RBRaisT2OtB2h6bIMxnrfk wSYeOiSNZKSVoLz5/f69j1KH5X8S40qN577FkrINyBAGg9GGOj9PHLhS/qGEIlxQHSH4 x+bwzqgOpTZTyr6nD6oAHzZBL+bAOz+DmKEQojfoj85MSCPX8I6a2YO7GjikK/EKOXTU jb9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=u19ff6FT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 72si16465196plb.177.2019.07.15.13.00.52; Mon, 15 Jul 2019 13:01:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=u19ff6FT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732294AbfGOUAN (ORCPT + 99 others); Mon, 15 Jul 2019 16:00:13 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:50692 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732246AbfGOUAH (ORCPT ); Mon, 15 Jul 2019 16:00:07 -0400 Received: by mail-pg1-f201.google.com with SMTP id q9so11069816pgv.17 for ; Mon, 15 Jul 2019 13:00:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=oRvWsZp4PPUfRyX2ON14DSSZgIGsbQD9v/C1S79uaF4=; b=u19ff6FTpFVbyQDEinDr9SJQnvqnV5os6TEuvxanMydy1b2YqvhyBFNo/tU/vKfZ4w TfzbNDIZivzuO7va8fNKDvqvQB9395QkHj9O1Tg1GWCdkHhfMs4ETA6aN28O7wFTNGyc q8o/BKGnaIjrhv3DQ4cA8soI5fYow8qx7tOLEYly4hwxfKxMiRw5fDyeq8qTuGbfW8Po d/YWDf52a2vnTtVWqh3JAHTFS1XAvYw4xC89kbaPNWEL4DV2eoGx+6y6tAyI9eHMZeyO mhDVi/LgvCcTw8vRnWbAvhpxmTzH3MiP8dt16CDV+pPSdJJvm4H2oVZrMSV37g3QPu/r Wiig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=oRvWsZp4PPUfRyX2ON14DSSZgIGsbQD9v/C1S79uaF4=; b=h7DKdJxAzds1xOISRd/KgC6olHyaHuFBO4R+pBDgZ0e4kTzrFnHc4qFLfKxMM4oHy2 +V12YFg9zqDdp8Jl2fTIG93cQqmCM3k8KMvRp2hEDO3cahyYWkgQkuvd9InuDwKq61Sx QGd0S9SVKp+hYBbhsX0GrxV7JOHwdFW4j7oBqMB6v3EbT+JPBdqX3kUj6Fc9xkEUxmaa INlxU/q1QLh1Dhud0sBmX1FB+JqRQxER6+WPLXCHxm1oE3JI6cz+ceIYX5857hjKyDmp 4EiveuOaY7RsoWNn0Q3TcfH7ujN+Onmw0+3bIv7zk4hyKzHXaOv/0y9h1CN8mgY2Yfgh 5oyg== X-Gm-Message-State: APjAAAUuRYH4NUYpUi3n06ZxA/LYdCnLrk9s6t9Y1T09gJ9xm3o/pChM mS9CznHq9t1vqskAMc3beYxJD2Yju44BG+snt8Azng== X-Received: by 2002:a63:3ec7:: with SMTP id l190mr29802503pga.334.1563220806224; Mon, 15 Jul 2019 13:00:06 -0700 (PDT) Date: Mon, 15 Jul 2019 12:59:22 -0700 In-Reply-To: <20190715195946.223443-1-matthewgarrett@google.com> Message-Id: <20190715195946.223443-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190715195946.223443-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V35 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 8e70063074a1..9458152601b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2c53fd9f5c9b..d2ef29d9f0b2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.510.g264f2c817a-goog