Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6092008ybh; Wed, 7 Aug 2019 17:12:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqzac/OeojKiwfyrqe1TYaJ6uuH953zlL2mtq0GiXEpYLaDnX7Q8nDMZCLgEvn2xGpxfAjd5 X-Received: by 2002:a63:6fc9:: with SMTP id k192mr9942076pgc.20.1565223154250; Wed, 07 Aug 2019 17:12:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565223154; cv=none; d=google.com; s=arc-20160816; b=uUDX4ICq5a4ujfFlk4KOudOWzt9jaxq/oWb+kOhjgBvwJXEvp/OzhUL4323toTt9T7 +/k955MkCeofdgMBRGSrIkeVwRI7AOa2EDgO+fRkwFTf/zRm2a1W0MgJeDXIU7f6VLB/ 55duvi089jS5voAu4a6k06NA9/b122I8G9B0Wnxl1DJr36KRsty3dA7sUBUREMwx3KDr apG3KLbSAUtygeC39XAZhTkmBV76Gd/lj67u9a41oiSt8DrN2xwPuBeC/9brOoqxVEoC Qs1RnTfMh7B9iP46VOmmxdcmNt1C/bcquMoqN8ACAJkchpFTLpyVxlKiYpcD1Dqh4sXr BLDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=OIEsSECeErQ0YX3M9FG23BVRK//lbIrf6ugGKI38xH1n1QsrzSXVQi6CvORwaA0Ng2 0pvt/CDD/bHdqKt77zcREVoniNr48hLqu/TU79zPcV1IZMhjDCn0m2/v4AJ6ycayT9oC zUOu0IYBnS2Yz3NCa3ZaZkdYKmhslDlyib8dcUDZVBeE6/ppQsc7vE5CCv+3iVgsoHma jLMbXAo7mfZq5Ioh0R8s0hKjmItFX7tizTr0wfLsBzcvk4/LZ73jIzobzOD+TIlGc5Lm RjUtS2VVCHcfI9xDjJ+/f+q2SSa6i9V/hGXpHxVX8JiRRKruzCzN4UlyZfX7G1WNc71e Gs9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZkgIbIkx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c23si49671652pfr.8.2019.08.07.17.12.18; Wed, 07 Aug 2019 17:12:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZkgIbIkx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730678AbfHHAHk (ORCPT + 99 others); Wed, 7 Aug 2019 20:07:40 -0400 Received: from mail-pg1-f201.google.com ([209.85.215.201]:55649 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730653AbfHHAHi (ORCPT ); Wed, 7 Aug 2019 20:07:38 -0400 Received: by mail-pg1-f201.google.com with SMTP id g126so10047417pgc.22 for ; Wed, 07 Aug 2019 17:07:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=ZkgIbIkxpkM6RHrVJ5F5wRRahbvNebuI+iYB5sBF/gbF7hJXYGn/E3enNeek2yvj7a zXnup1xUD1a+bDexnXrqRyg3zVYGJk0D5Z3/7uiaGtXK8sAodqIGziYCJxXYBrL/qRsK qn/6gQuzuvnpFoCsujfhY4Q+lzB88RGoFVmSlIbX8gy54nAOx/X4o3An99MFbOLbY3fF VEb4KOlGU8qxfLu5MrcKE4PvVdf9vvugdNeTmWM9eip5ojht/Dte+ZpXSPp3FUKPjL5Q OWChZ+etOyu33vavtQ/XXWp856rrwp0XUClHtnNcIkV0Yng0iQkxVE5gkgoUIHrrTB3g EK5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=YL983DZYCsDH2/bxBW55mkIkXEZ4iV1BlOwZ0Y9UQbo=; b=uaZOXVvecLwjWsUdDQUq9XamEEcW/8q1KI1rthJYAk2kVE4gLVgFkDgzmMM9Z0McFs 7ESsrKPm0wTTmeb0zzESSP5kQRyyDDN4aXAhUarCnl5JjJoYfe1GlKeszsszBa8sP2yj FNuP2URaFYaqDCIdaOG/ex8hgep3ULTsSHzTI6XFHApGAoTW2EiXeAK125v2GtOUBhn3 kk5C+cZhwQqxAAICceVfbiwNuHlg/H4cE7NTZk+JFCToyQYCo/Gtb6XUTQi0o/bPHaci 6Ic0PyRMvhrNOqoX0S9tXctD8AWkbrB5x/N2zwvfGW3nclsaUn3jpS52AkumQKcptCE7 TJ5g== X-Gm-Message-State: APjAAAUNxpuaSE2qZgxN899P+otcgXVXBVJpa4LhNE/qjGxjv6ZviEAF 2AL1MOOda2V3hkscnIdYk5lJaw8WQP1umLcHx0DJcQ== X-Received: by 2002:a65:5382:: with SMTP id x2mr4566847pgq.422.1565222857072; Wed, 07 Aug 2019 17:07:37 -0700 (PDT) Date: Wed, 7 Aug 2019 17:06:57 -0700 In-Reply-To: <20190808000721.124691-1-matthewgarrett@google.com> Message-Id: <20190808000721.124691-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190808000721.124691-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.22.0.770.g0f2c4a37fd-goog Subject: [PATCH V38 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 8e70063074a1..9458152601b5 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2c53fd9f5c9b..d2ef29d9f0b2 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.770.g0f2c4a37fd-goog