Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6481526ybi; Wed, 31 Jul 2019 15:24:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqyg5uslUtsc7SksSLSVQRIgnHtXDKDhOARx2mloiIh08m1gZuDkswL9fNI5VC1yWKk9uePl X-Received: by 2002:a62:2a4d:: with SMTP id q74mr49700196pfq.86.1564611868536; Wed, 31 Jul 2019 15:24:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564611868; cv=none; d=google.com; s=arc-20160816; b=ATl0LqE1OIXQ9dVPCRJiuTYSMow6Uv/VeMh/j2KGlZ6MAPCzr02HwfZTmLWgZp4Z0f u3EjWV2tG6OX9shGYtz+VnXz+hl2ukZ9mFC9/OxR38PQ1qiMMy1e95XjRL/ZU3a+C3Uj +QYt+lJHNQTyLmNNnYRhOdGX8Cp92tbXdnO0bpliv0tSORUuatDJOenX2aa4gvMfhQ0Q Obd/O+0eXe3e6vhXTHGreusqDySs8xHN2bZLF+PUCrNg+HaBoSQd9rXTB6WPCkzFoDgk VCQmXrYwVke+U9D4BkdIxVdqf5HbayXrK8pqPgGK9QBcg/Tf4yj9xXhrJH3TTJNFPv9a IPXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=xcGTAOhw92Qd5aGcEMaCyV7q3EtWXqlBF0/X7wmHhiiMuG68OgVdcqPnTMUUFr16qk SOkpInYlX76YM+t422PEqq4GIha69mo3jF4B8f5kosP0kgYzbXu16g8n3+ib8iw0sDRi VXTqjMDkK6MqHj6DCYxh5oT51GkkQyPT9qggFYVGCL1RmI8BM5Rryx3S+/guTrNbDVkG HI960tagYrDeFVqlAXgg3lrHgJdnUq8g41Czq+jeIikmOloJP28euH0/Gc1SaPSHY1at w9C8zTLV14jTb/T5EpNIQyX+Ya7ATBnfPhUVf86/FEUsSTwOVIbNtMcmoX8YvFTxeStG y8dw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=j4MKFnGU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e129si33818172pgc.344.2019.07.31.15.24.13; Wed, 31 Jul 2019 15:24:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=j4MKFnGU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731282AbfGaWRB (ORCPT + 99 others); Wed, 31 Jul 2019 18:17:01 -0400 Received: from mail-vk1-f202.google.com ([209.85.221.202]:46430 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731272AbfGaWQ5 (ORCPT ); Wed, 31 Jul 2019 18:16:57 -0400 Received: by mail-vk1-f202.google.com with SMTP id j63so29955956vkc.13 for ; Wed, 31 Jul 2019 15:16:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=j4MKFnGU7X99YI5wLcfXrhbOFDvuZvPJ8DeJhyJvAsxAIFQzgYt+EFTnWPv0qMmkqR RG0mjKzeZVlqOwakSykYJYD4KlJ6ZRROwgtz1cp0jWXaki3qCH9YM8h6Kql3AgjbTz3t 7UnMOKbyWLe96otjDVG+dPr1R4wuC89qSfNHZvEltYLDw8qpgwmXL88G1rNcHSh8Ucbo ch/Jb5eC737kJjy3xmYpy0cGNVYHfTX0wvJfVwGTLzHiYfpNJAZHSMZhxoPG3QCTu+0+ AAWnCM2SF0ibefGRIEsGmypEVjUHwxuhFVw1+MxxB9icrlIFugrsv66o4wI0DPZ0k6yJ OJ7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=dTzB0M/qETRkBAE0TMVbJC0+aiNrExtHHfxWQQk3qNjIwy0RWYXZLEIrnjVpi8tSRJ AfWTPNuHtn3fo921B1E7CKbO8zjHaMqC2tMT+8kPnE8pD0T8ypXNgPYlxm0mtmyjyCao aKNskVoM0bpqpd6THaK8ATet+SpSs+diXdZdS2vnwqL3ZSMNFSrD8Ax4Fwa9u/l8Lbbk I4G517V80G5Reyb3EPcliBYndqUSDBcXjze14Ob/ENRZxcSFaaevbUJSSsCWisIaamnE oPBFpnkUMzpMkwpTL1YFBR8LgLbTJpcKAfCnpcM4w3Qz3OgFE/Hb+R6oqSkVQW71surQ qYSg== X-Gm-Message-State: APjAAAWqKkkZP4FInUkyGb+5wwx1BEUQ2IE8FBXh6/uCYPhuAMo5k0yn cgZk3ENJ4r1uhIt4/dvZH5cJKu5PnW/3FmQ3keLeLQ== X-Received: by 2002:a1f:3692:: with SMTP id d140mr49563787vka.88.1564611416854; Wed, 31 Jul 2019 15:16:56 -0700 (PDT) Date: Wed, 31 Jul 2019 15:16:00 -0700 In-Reply-To: <20190731221617.234725-1-matthewgarrett@google.com> Message-Id: <20190731221617.234725-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190731221617.234725-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V37 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 8adbd62b7669..79250b2ffb8f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 655fe388e615..316f7cf4e996 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog