Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B7B4C4332F for ; Wed, 5 Jan 2022 06:56:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237858AbiAEG4U (ORCPT ); Wed, 5 Jan 2022 01:56:20 -0500 Received: from cavan.codon.org.uk ([176.126.240.207]:57178 "EHLO cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229759AbiAEG4U (ORCPT ); Wed, 5 Jan 2022 01:56:20 -0500 X-Greylist: delayed 468 seconds by postgrey-1.27 at vger.kernel.org; Wed, 05 Jan 2022 01:56:19 EST Received: by cavan.codon.org.uk (Postfix, from userid 1000) id 3DA474250A; Wed, 5 Jan 2022 06:48:27 +0000 (GMT) Date: Wed, 5 Jan 2022 06:48:27 +0000 From: Matthew Garrett To: Kai-Heng Feng Cc: Matthew Garrett , jmorris@namei.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Matthew Garrett , David Howells , Kees Cook , x86@kernel.org Subject: Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down Message-ID: <20220105064827.GA30988@srcf.ucam.org> References: <20190820001805.241928-1-matthewgarrett@google.com> <20190820001805.241928-13-matthewgarrett@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 05, 2022 at 02:25:41PM +0800, Kai-Heng Feng wrote: > This patch breaks ioperm() usage from userspace programs with CAP_SYS_RAWIO cap. > > I wonder if it's possible to revert this commit? When lockdown is enabled, or under all circumstances? It's expected to be blocked when lockdown is enabled - allowing userland to use port IO would potentially allow reconfiguration of PCI devices in ways that could alter kernel behaviour in ways relevant to security, which is what lockdown aims to prevent. What's being broken by this?