Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3353445ybl; Mon, 19 Aug 2019 17:19:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzhjAFrSC/eNWZnyJrGw2i9EjMu60CwHrY0+XzN4O8b0VjRSNSOYIopgsNMS5ULBDCb7E2J X-Received: by 2002:a17:902:b582:: with SMTP id a2mr25346781pls.199.1566260383326; Mon, 19 Aug 2019 17:19:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566260383; cv=none; d=google.com; s=arc-20160816; b=Rb0hEgnSb3qg1UicPsIbN9OakvX/KQ8f8hTVVta9iIE50N8KWn0ZMV408Tm7IvulyQ 63SxlOcZV0tCouTwtYaRdANXi7ORgm8CndiyHJq/4gfLZ/vehP9zaZCa8OBXbBOvmSPd SHqFDdT8ryCtKCSqHisbGFGrSxkxRbV/MBnXfyHY7zz95cze/pgGcerYmL1Wi6J6HJAJ cdrkD79t+M5Wl6HiZEmiAYi2IjNmqgjylzAXatpneA3nKRTwzK6jnWpJwFngro0pGe8Y s8G0zasjHs6CyVF9aXmtd1I8n3R6k+fwAEDra5tfZ5tYYYQ1jmNvVwmUU8LbSZImVXxQ mcLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=KEN1/621HMw7IMfp8Bhrbn/lMKb+FMpWN6y+R4B0zXU=; b=wpyhk5yUAgPoabLy7Ls59YDSOq3QiFGiX05N+dWXP+bDONhREwaAUREjEgw+hxVZsK QZo+REhwL0gxs6d6wCXz0Db9amkmPJ5FTrCVr6Q+TUyDIcpkcSV7+Bza8OxdstACf74h VUmdHjOwuIcHI0G/naGkYrYdept42hNXfYqmm0x0aA/g7H2cipZ4u57vECIAsXT8Zq59 rTZgv1BQ8netX8AShew+Mu/IEmuWgmPCyp9CDE0jBTjbqQU1pOJmAHLVeYzTaV2O1Lu/ fwfcMGGZmEWoxshm77sk8092SLooLki59lig9a5h24OLN4yeKRuBESaspX7K9SFadJ1o N4qA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DnG3SLg+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o9si11775922pfp.158.2019.08.19.17.19.28; Mon, 19 Aug 2019 17:19:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DnG3SLg+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728935AbfHTAS0 (ORCPT + 99 others); Mon, 19 Aug 2019 20:18:26 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:35158 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728926AbfHTASY (ORCPT ); Mon, 19 Aug 2019 20:18:24 -0400 Received: by mail-pf1-f202.google.com with SMTP id x1so3529519pfq.2 for ; Mon, 19 Aug 2019 17:18:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=KEN1/621HMw7IMfp8Bhrbn/lMKb+FMpWN6y+R4B0zXU=; b=DnG3SLg+kryCv883pYqzrppk2z/DgKjwrD4Sghbocds356yt5bJDzjzQb1b+wveJDe 1H79mW4g8luPWRTilF0N4iZ/U7F+W91vu3dXhCdCQZhqRx8+sFVTXbiFHFTKZXAewmB5 46PiuAXySCSkliboNVn6zkBBwNsW0UkhHmUeR9+fwM4rBk4oq1wE2NCml1IQEsdPUxPj U8LftEt/jHOXe4DBSa4/VkbXgiMCFwq7AKbR5NVsLcT/uwzf2vvmZh83OgT0RNRBc7bZ V+ksZ0m0vn8rJUbVwZF0XuOrBWK7HDBzHHS38G68udbIipnGCbofxTBqMxOTRP4yP8Vn uH8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=KEN1/621HMw7IMfp8Bhrbn/lMKb+FMpWN6y+R4B0zXU=; b=mGr+FGZXmK87Fh+nX7xUZZxQt2Q/NqDPylD3inIx72j7CnNSNACSp0QfbCQjBOHHVv 9EJ4qkdcbiSYStKmGyfv39JUc3t6VUVbJwGArffHzTjUokXdwvk/8ZqB074eUbQxdR/7 MCuSX9835S+DriASW4Qd8Rhf0kpJhbCSZSa6f4jZ8FtExztwaNzCDPJT/98j5ZF4BgPl 565qU98zVVPxsMCpu5hg6ybgopDayWyftN2D4ROt1qo35t9Kyz78jh/m+8RGVbrPmezt ocCl1qEB8PlX+aWBBhopQeKxZ9rjMieBEczsoMlPq2K6+++xjiiTdOIZoTmL5fI62sDD GeRQ== X-Gm-Message-State: APjAAAVfGnw/TeXI7WWZuWuf0E++XkHpR5yQuA3VJxG1BObRXTby8PYO 0a4cR7R3fvR/4Bsmo2wVz3j5HPHFOnm1myBJuB/reQ== X-Received: by 2002:a63:9e56:: with SMTP id r22mr22292240pgo.221.1566260303010; Mon, 19 Aug 2019 17:18:23 -0700 (PDT) Date: Mon, 19 Aug 2019 17:17:41 -0700 In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com> Message-Id: <20190820001805.241928-6-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190820001805.241928-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.23.0.rc1.153.gdeed80330f-goog Subject: [PATCH V40 05/29] lockdown: Restrict /dev/{mem,kmem,port} when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Matthew Garrett , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: David Howells Signed-off-by: Matthew Garrett Reviewed-by: Kees Cook Cc: x86@kernel.org Signed-off-by: James Morris --- drivers/char/mem.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f26..d0148aee1aab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -29,8 +29,8 @@ #include #include #include - #include +#include #ifdef CONFIG_IA64 # include @@ -786,7 +786,10 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + + return security_locked_down(LOCKDOWN_DEV_MEM); } #define zero_lseek null_lseek diff --git a/include/linux/security.h b/include/linux/security.h index 9e8abb60a99f..e5dd446ef35b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -104,6 +104,7 @@ enum lsm_event { enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, + LOCKDOWN_DEV_MEM, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index d8e42125a5dd..240ecaa10a1d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -19,6 +19,7 @@ static enum lockdown_reason kernel_locked_down; static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", + [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.23.0.rc1.153.gdeed80330f-goog