Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6480922ybi; Wed, 31 Jul 2019 15:23:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqzh6oMihhdDybUb6/XULPx6oKN8XftRbj+UR+7LBwH4DCVQNkaLfqhsGeL/QqdHBCdHl0en X-Received: by 2002:a62:87c8:: with SMTP id i191mr49791817pfe.133.1564611827445; Wed, 31 Jul 2019 15:23:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564611827; cv=none; d=google.com; s=arc-20160816; b=Mnfu2dEXb09TjAFz9bSeJPjchL+XRWwOYbW/cAwAb0tpKqmZoV7y4KJni3RSp85eqy jHL/lfmE/ZFNhE+6ERrxve0ZF2momW1XOfA/C4BTWi/MFb+CReDtshSd7SQMVW5nClCW oU/OGdEIIgUwZLgQXZZRih9/ObFxIHNbuA3XmSmFr2jUmeFkyVrQdgMrUE34QV+v4qY/ b+fFmol7d6zNsZWg8wI+DYp2EHkP8Kb1I84mq58GvQa0cTzdcAPxq3tOd4wBfpXaJGIK PRMu58/It0n4jNbcRNRt5FIhHuZK9E6W36VDn5cBjNhADs4g2Z388JHoNnpkqlDpGXHa FOYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=uNGZNCRuJvj3WszKlJAYJ8vT+aGWw2ai1LrF7kzzsleX/G2Q13LHfUfcOxiDwvezVj x1xJqAurYVcVT5yeMrlHoe7rDfiDmAFsZG2j4AiBOTurOWyfms59GPNOBJsqayOAl32I hEIxbgTHxze0MJpQMHblwUEuu4kROTpPlvM+9Dj6GeMNEa/cslIL4LKLEKonXRgWfPGd s3hbGS4BFzfyRV0zZJIGudYjKyV5tIqBB2KqhCY/8/jEfYGphyQ+we9ZWo5tahLElcyX hDjiB3EDiIWmKW6QXvKVMutrG8HoJcLppWlS7eO2Lt2AvFLdHs+Bym2cjsan3ZouNn5W swHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BtsXIa2e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v45si31976587pgn.10.2019.07.31.15.23.31; Wed, 31 Jul 2019 15:23:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BtsXIa2e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730152AbfGaWTe (ORCPT + 99 others); Wed, 31 Jul 2019 18:19:34 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:48220 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731180AbfGaWQk (ORCPT ); Wed, 31 Jul 2019 18:16:40 -0400 Received: by mail-pf1-f202.google.com with SMTP id u21so44188336pfn.15 for ; Wed, 31 Jul 2019 15:16:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=BtsXIa2eTEgrtDB3YoZh0Vr0MqF3zG2HREwRJPT9j0PLXfgg2j3hG32IB5dfHPMy/2 rm0uDDUk38QtwLylkx1PGSeLlU64Nva0fuH1JwNUQQUtkhm7QfgTLm2TKTf/7+OlZbSE fMXuJiJQwb9yTj6TCX6++29P/Sr4XGuR2UAS6+U8dUUzVj4VaEGg/YflN76TaB4J/tiX 9P2rzS75rZnOJtKNVpeLvatDRMWkjQSQe5lvohC6vizpCaIU2VSR6OYNm/FVr5BdlKXj 3mBodw3Mi95WtWxKxlSO4spjGTI5UzD68Uck0JfqLAxfMZdWLWt5aR3iMBTcoph2ExUE Px0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=GlhkPSU8fmo4KsVDYbe4/5marWyPkxFvsP8xMUuKfaGi1/ZoJwOnQBHc1ZqbTo4hMu VuQsqjnhzhjIEN6vRf0X26BE9WbWEea0gdXsMU+xEL6PIB0efhurfq8UXtcELhJ5VXZX PHtX42TrFl65MrTSneEVDirBdMiggoViJFQZwDsK0UbKQo/tbgeK25UN3Lrq8zLcVbk9 dEDZelPyYLS18NE7lM2/gHa6KUSASlzCCP33RK6EYvBd5bA8rAkPsxlBtqfThdmXsYSc yTleuD8jsW0ZEDU9nKP/Fj6Ldh29P85zSV4jrr30U744rwu+kY92tW7uoJGXwJth5F8X LtVg== X-Gm-Message-State: APjAAAXkJF1ipvQ4stbOBnGRmBeSpcP0tBLMV/Ip+6rAptvObmUBAj3d 63GV1A130OKpwzAxcSKTY6PUvKZPpNDs7xAH0dJLQQ== X-Received: by 2002:a65:44cb:: with SMTP id g11mr69696974pgs.288.1564611398925; Wed, 31 Jul 2019 15:16:38 -0700 (PDT) Date: Wed, 31 Jul 2019 15:15:53 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 8e70063074a1..9458152601b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2c53fd9f5c9b..d2ef29d9f0b2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog