Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2701538ybi; Thu, 18 Jul 2019 12:47:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqyhVGYdYku4MZ+ylRs+bjTc9bHXBFO0df6Ue6D0A0onVdYVkWYBAKAaF+c0LTEouWy777pP X-Received: by 2002:a65:6904:: with SMTP id s4mr44975402pgq.33.1563479249493; Thu, 18 Jul 2019 12:47:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563479249; cv=none; d=google.com; s=arc-20160816; b=zp6fAdFHVKsfMbAfTkAK+4GvfgpA5OQNr/NkgfCH6cmqiVRHflRlOEXVHLMYeGMXI5 xwGMU76jnt7LF1jX6xTnb+/NxDnAZiF8xrQJXo6J7RoQZPc2IMOE8fBAXFqXRuKa64Xs up+H0tlZec+ZFldEB3DZqb1dq/FiWAMnDOk7/VkNUveayIZVLbv10atupZgvs+fvZXHS L2/jWTy9xNsVFVkAmCSGagRVPq0rh6o8+/Aaog171Hu9sVRYGI13ek9E+msHGvBH1HM8 hDgdKP4HxDVrXniXZzhTGnZRM+s1aH7iCXnC4Tt6X7sHcnZaf9oOkXzH+bGWU7//OJqa h7yQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=RqpfjquZ0GE2zpg4eJx3Cd128lI5VFuP5LKKMsWaFSI=; b=Gn0XImGm0+hFwEDGSLP+4KOfKEqhXIztJqZQrlk3nRXpSlsRw9zAHhu+UywUIIlU01 LAVimqBgTddOLgQ+Vya58XOXF4pVkN2cFsmmqWiZvwOOaDGMbFY2+of5lslLx9LLtTXC q2SA+BbFO4jr1rg1qI/9rrY2Um9e0i2rXLJWEZ9Qli6IFTAirYjSSkwTbOqme0ti8RDP h6z0hO2y4dfRI3LIRPa+FgzN2X0g9ApdaZ7wj7U4WSBl405Kco/X5pshiBl8aPRq7N+n zH0zxnYEtxoSv0DWXaGKgJr8+vJI6tltHZK70BSebCoU5elukdLAxvpQK12xIuFbYnJt FGfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qB9l0rlZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q85si3410689pfc.85.2019.07.18.12.47.13; Thu, 18 Jul 2019 12:47:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=qB9l0rlZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391713AbfGRTow (ORCPT + 99 others); Thu, 18 Jul 2019 15:44:52 -0400 Received: from mail-yb1-f202.google.com ([209.85.219.202]:45023 "EHLO mail-yb1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391413AbfGRTou (ORCPT ); Thu, 18 Jul 2019 15:44:50 -0400 Received: by mail-yb1-f202.google.com with SMTP id w200so12612543ybg.11 for ; Thu, 18 Jul 2019 12:44:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=RqpfjquZ0GE2zpg4eJx3Cd128lI5VFuP5LKKMsWaFSI=; b=qB9l0rlZdf1ZSzaRrkTDiiRPVJ59qbbPv/eC3uB0Eygb7kg3fkemSZwjWZu4/V2e7r RqGqRUuCJJpwr+tC6Eqans0mir3JuYlFXe9OUuCjNjx7dr94sdMzyJssS6GNXaJPaLA2 jLr1mPI6iXVmtCKOQzDzXuWUR9KeIUX1YwugsPZbbx+3aYnwWBr4Tm8dKeznrou7F3zH +6GQwehAYwQ91AzLcAQxko+dJauQHFA+gVoaiM5xlaraqYrmD2AVzvat1ZR2i34hY6F4 vPdulwSobVmL4QVh4zui3Jy23qYxvfpcYiXoLPjoqjIFO9noO62KTo1vNCi8XTqGvDDk JNUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=RqpfjquZ0GE2zpg4eJx3Cd128lI5VFuP5LKKMsWaFSI=; b=f1yDZ1lTpU4+viugVwcC1mKnFOhHaOZ+yJmbYiwywTtLuiGb9SF4FlLL9Yvs6CRgBV WC2eKqoiGPXCjvQ6etGflOYC0rvtzAS1wdkQLntyjyszrZaoAglmKJoASgGjgNu4GDPp YPaFkyfDxif942ibPvU7o3tbNrk5zNLRzttxmusR5itcQjLHVZ/8eEJIOR73y+jWvGta M9R6cEnZnF8kkBUxUQbyGX3sbMweaJWpupVip/hTVVf+3X05OawG+MWLa2OR15ovtnqC EKWf/HIit3Tj5cTE0Sh/64BeQNZpCVyj2+wcMwDUGmbA8B+sLjwAL6q+6+QlV5BH21r1 5M4A== X-Gm-Message-State: APjAAAVUKNEPIFPAHKXraOe341z6LtUmt/lk9o67hGZkKYIpUIkV6ZTL hYLR8gAl3OUQIUv/WBSo+tgB4aJDAKfdGSwpMug82A== X-Received: by 2002:a25:2a56:: with SMTP id q83mr27205767ybq.299.1563479089832; Thu, 18 Jul 2019 12:44:49 -0700 (PDT) Date: Thu, 18 Jul 2019 12:43:58 -0700 In-Reply-To: <20190718194415.108476-1-matthewgarrett@google.com> Message-Id: <20190718194415.108476-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190718194415.108476-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog Subject: [PATCH V36 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 8adbd62b7669..79250b2ffb8f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 655fe388e615..316f7cf4e996 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.510.g264f2c817a-goog