Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3355136ybl; Mon, 19 Aug 2019 17:22:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqwDU1fXrBIhR5cibQgJcA3haQqBnaZrR6buAFxpdCnB4KlRjw7jCY/KSUXtHbLuafgpeNZo X-Received: by 2002:a63:fc52:: with SMTP id r18mr22377291pgk.378.1566260523063; Mon, 19 Aug 2019 17:22:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566260523; cv=none; d=google.com; s=arc-20160816; b=Xy4TEFMyxgoBlgCun/oIqkpwzJ3GC3UQpkvNsE1tOqGA1I5URD0tEf3QkpEz0MjZxJ okpJB+kXNbmz4pMGZclZIKIp8OovEsrgnhqgA7ADJSb5W43nSo9OLNFFke3GnetAIENZ XR6JnK9sAAD92bvu9cfSwmzRKT9SLBl3BUqIImy3ylCflun37rnQzRFme/SaPKfkmvsx QZhHVsSOgRlPGNjkGtc/lVQHNpgrhqyY6Z9y+KMUCf+h2EWozXgD799RPBL/IhJfhmYI mV1UHWK4Tc5Hw2tJs6WnpgfiCVoi2MniPLqpi4iqeBy65k/jXAlam3DyDcbVa48MjOiX ZOmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=kCjTIca0P/GJFxU16YX7DQ4xD2nMI3cX2Z/4NQSE/Sc=; b=O5v48wTEaEyoBF/cjSsU+sh6jz+3HoKl4KuyogW3Af844ft1dOLYrnJaGg3Vgnc251 LLEuuS7LMTSDXELu1KPjXumkltlPNSL7ompTnwXZiGqi0Bife0QqPavAPRzroUto8d2/ UTd7xtsWQehIEOSTF2An+/B+a5f8MbFaR1DOLsP1dMvkaHDVdq+hGti+GY8/sw72cyoJ PuwfI/y8Qi2VxJ1Gq+Jgka6tXSnURb0jPkR9Mst+C7yQOebOocYsFXqtOXNwCcwf/P5b ukuvenDDz9q3/aahf+EY4hU6wsrl44Z8T6LdacFVtTiqXcOiRP0tPYPTcxdnXbRZTS/u sNMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="KQBvkuF/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j1si10854639pgk.187.2019.08.19.17.21.48; Mon, 19 Aug 2019 17:22:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="KQBvkuF/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729023AbfHTASo (ORCPT + 99 others); Mon, 19 Aug 2019 20:18:44 -0400 Received: from mail-pf1-f201.google.com ([209.85.210.201]:35161 "EHLO mail-pf1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728984AbfHTASm (ORCPT ); Mon, 19 Aug 2019 20:18:42 -0400 Received: by mail-pf1-f201.google.com with SMTP id x1so3530003pfq.2 for ; Mon, 19 Aug 2019 17:18:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=kCjTIca0P/GJFxU16YX7DQ4xD2nMI3cX2Z/4NQSE/Sc=; b=KQBvkuF/M1dzuAgHwCf82DbbRCvPK9GZf64/jVQ9LTne8ba0vruPyKkUvzKEAV4Do4 ldosC+iLz6ETawlccozW8ItJDaAXBXZATeA1nO9KNWC66nLVSi/eQGjxAac7SxWtBt80 F9ttqj8ulV04NpJ8P0R7xE+kPWB2SEZJlKpep9r3m0leisPBJgO+H06QZtS1RIQwOUvM aAAycTME7urbUMVzfSxauE7k8SqURCLc0gl2bCAw8gfpHncP4xy8sHCRp5tNJ/ikjNCp SBh93SgFozLEQXaTzHPp0WxbWNcOyZQqp2QWf1ydPAlK7JE3o0wgHP6nnj9xLY5ZbGVr 0hEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=kCjTIca0P/GJFxU16YX7DQ4xD2nMI3cX2Z/4NQSE/Sc=; b=gL5ALhEYWZjB0SRxZx0ja+jJ09wn9YSS++fMXh/rkzaOVfbAVAvGb7M6DMEAIKTPvO Rx1SKCRAZfpgzdQt8EznvkI25JuoNYIGnXf7/k3vD0kTjfEojdg86GTI/tVyupzy7QXx +0P36lgtG5XqRfpUQxYounmAbcOQZ5z64MgggsKnJgtAy5gUCNBhZ46MWswkxQ514jyw MIOZxuoWhvulhL7dW2jKPbyzFwEQXZItJX4uQmFHwdAnUoONl/cwQ/I7qcrG5feD6Vq4 hgaAGLNiIlaXp4FefJlrA+dqu5ss2p53hwveqe0UBR1ACj1afn5zwSIppWDpei1ZUtAr dPVA== X-Gm-Message-State: APjAAAW7mTcKGNO53kTrq+aXGMGofMtOMPeoqin/fkug9mgBBl90Zsq7 kYZimkLPI6RW1Fvc0Y9G/JxliwtJUm9+wl2d1/0b5w== X-Received: by 2002:a63:6a81:: with SMTP id f123mr22683545pgc.348.1566260321339; Mon, 19 Aug 2019 17:18:41 -0700 (PDT) Date: Mon, 19 Aug 2019 17:17:48 -0700 In-Reply-To: <20190820001805.241928-1-matthewgarrett@google.com> Message-Id: <20190820001805.241928-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190820001805.241928-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.23.0.rc1.153.gdeed80330f-goog Subject: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: Kees Cook cc: x86@kernel.org Signed-off-by: James Morris --- arch/x86/kernel/ioport.c | 7 +++++-- include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..61a89d3c0382 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -31,7 +32,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT))) return -EPERM; /* @@ -126,7 +128,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + security_locked_down(LOCKDOWN_IOPORT)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/include/linux/security.h b/include/linux/security.h index 2b763f0ee352..cd93fa5d3c6d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -108,6 +108,7 @@ enum lockdown_reason { LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, + LOCKDOWN_IOPORT, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 410e90eda848..8b7d65dbb086 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", + [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.23.0.rc1.153.gdeed80330f-goog