Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6089059ybh; Wed, 7 Aug 2019 17:09:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqxZKV2k10EHcq7d9usDVswq166P4hXBXf0zuMbEthW4Vqff0Kug4GFr/dFWaGF2RWYVCeeP X-Received: by 2002:a63:30c6:: with SMTP id w189mr9688722pgw.398.1565222947639; Wed, 07 Aug 2019 17:09:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565222947; cv=none; d=google.com; s=arc-20160816; b=n60P4R6H3sKbee5gpelxDQ+61rCx+p6D/50xbmLqA5tkdnGv2GIiZaDB5ERKOI4E7J aA4Yvt30A0e25a4malQeGWkEoHFXhQHnD8EZk8LI7n1kXe4gKkcUJgXPCXAeHGdxwXdz KzLNqMTq+7dtaS+AL+WW38pdLr15/A13qr0bKOi95ix5ojJC1yVHRgmUfhULRY5ioDh5 L92wImNhYrF4VS6ZLdGE/Q6RnUgXZXIIDV6+l/ZMFQTvALPAZPhiyoBwh5KE6b2OqAqy ovGbjacMbN0W0a76HzgAi/VxGBU6rvINAs/yiQCBMk/6qSNtqLOBkmPsYTdmdPtv5nYc W6Lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=FWsuase5KROszjPyz03MAR+9XqNnpxmlORX0pIyRBhQlOFvj/H6rjRRpHI3VvGDBti lpJ6SuLlg67zqc15/K9nF+cG1d2b7jduCA7JgFGLR/jsHQKVO3AEYXmXAeFhPWWp44vz pwAxtRwpW2xj2+RyFegjelOZOGCQsm8rAq0X2bnBS93AlbeRDV9WztY4gfUv7IGoAWG7 kXTRvUz+cL6blTWaHJH3L4CWJCT7sKsHbZIFnokel9p5zbricSLVQbzsNlsRzJscvwgj RW0LX3lyiq2BvqllcnrMF15GlYYcLu3K12s6LH0cFR3YVM3dtIYCkMikM8SuHcQ4qw+q cnfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=S7YaGegx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f17si54041044pgh.552.2019.08.07.17.08.52; Wed, 07 Aug 2019 17:09:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=S7YaGegx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389626AbfHHAH6 (ORCPT + 99 others); Wed, 7 Aug 2019 20:07:58 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:34557 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389595AbfHHAHz (ORCPT ); Wed, 7 Aug 2019 20:07:55 -0400 Received: by mail-pl1-f201.google.com with SMTP id 71so54398619pld.1 for ; Wed, 07 Aug 2019 17:07:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=S7YaGegxryfNkKXwSI8xLioAJSlCyuDkJE0jYWag7gVYqqzwEzJCYwXDG0GkmYWYP7 yzHJ2yFBgIVDJfmf8NKFlVqYb7wWryKw+LpQm9+dtyGSdBohJZDjWVT8QZePp7+nc7hc KNjUt7Eo0aWXYJZTpXOt2d34f1ZkTebgP0rlHFbRNy13iPUK2PqNCUqcWSYvG3qM+2rz PNpoCsAN2dHagbKUz61/zKY8zuEhfQvereGVLzi3Kk6i22Q8jRGfSB+h/rou8dD1V5bw j3jU5WHYpAAF50obcByRqCOKVWCx8kLSHtGQgHOqxQA8cozwJ/UA/r+jR6DeSHWd/Gh6 Ousw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=+lxhGCdajZtpWA+WbiP8jppyBQ25CBPRuMFm1CLt5nU=; b=dUhdQWCQ7arOMmJeLKoS6rc7Lo/794ItzsaPIVS7S44HnUUB2o5Eh0Jf2nQcV9U2wf gRdh54wVbd2r/LNByNtasYO9lkVqy3x5+EFz5UmNq9cWgKkpa04W68Vr6USU5ssfO/r2 NPdCuQU6yBPZpAqqeuF93noID0kpsDXn+eaY4vi+rx1HnTzQ6itzhhy38e/dcqjUvV+J Rt30gGXcL60XKaBSHE6xxSZVf5LymyWOLcyIvDPI/K1A3f82VAM9t5UF3lqhj4EjgzJl a3QVHMgULVlFyYkRX3RpUyUYipLsoD4rFRTCmv6vgOCYXmoBuCJpMynv+5M2msFCw0w9 nJeQ== X-Gm-Message-State: APjAAAXGzN5FFIhSOwvRMAmcYYlCV/odp6DsJh2+EicByxnym923ySuG EU8mu/4IG4h4P3FWPHlKAhuvKceGrtVWDv455lW2TA== X-Received: by 2002:a63:d315:: with SMTP id b21mr10219401pgg.326.1565222874892; Wed, 07 Aug 2019 17:07:54 -0700 (PDT) Date: Wed, 7 Aug 2019 17:07:04 -0700 In-Reply-To: <20190808000721.124691-1-matthewgarrett@google.com> Message-Id: <20190808000721.124691-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190808000721.124691-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V38 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: x86@kernel.org --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 8adbd62b7669..79250b2ffb8f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 655fe388e615..316f7cf4e996 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog