Message ID | 18778.1508769258@warthog.procyon.org.uk (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
David, May I ask a question here -- Is it intentionally enabling the read-only mode, so userspace tools like dmidecode could work with kernel_is_locked_down ? while it was impossible to work with the attached patch applied. Is it a security policy change with secure boot ? Thanks, Ethan On Mon, Oct 23, 2017 at 10:34 PM, David Howells <dhowells@redhat.com> wrote: > I think I should replace this patch with the attached. This will prevent > /dev/mem, /dev/kmem and /dev/port from being *opened*, and thereby preventing > read, write and ioctl. > > David > --- > commit e68daa2256986932b9a7d6709cf9e24b30d93583 > Author: Matthew Garrett <matthew.garrett@nebula.com> > Date: Wed May 24 14:56:02 2017 +0100 > > Restrict /dev/{mem,kmem,port} when the kernel is locked down > > Allowing users to read and write to core kernel memory makes it possible > for the kernel to be subverted, avoiding module loading restrictions, and > also to steal cryptographic information. > > Disallow /dev/mem and /dev/kmem from being opened this when the kernel has > been locked down to prevent this. > > Also disallow /dev/port from being opened to prevent raw ioport access and > thus DMA from being used to accomplish the same thing. > > Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> > Signed-off-by: David Howells <dhowells@redhat.com> > Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> > > diff --git a/drivers/char/mem.c b/drivers/char/mem.c > index 593a8818aca9..0ce5ac0a5c6b 100644 > --- a/drivers/char/mem.c > +++ b/drivers/char/mem.c > @@ -762,6 +762,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) > > static int open_port(struct inode *inode, struct file *filp) > { > + if (kernel_is_locked_down("/dev/mem,kmem,port")) > + return -EPERM; > return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; > } > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Ethan Zhao <ethan.kernel@gmail.com> wrote: > May I ask a question here -- Is it intentionally enabling the > read-only mode, so userspace > tools like dmidecode could work with kernel_is_locked_down ? while it > was impossible to work > with the attached patch applied. Is it a security policy change with > secure boot ? I removed readability on /dev/mem, /dev/kmem and /proc/kcore so that userspace can't use this to gain access to cryptographic material in use by the kernel. Readability was removed on /dev/port because reading from an I/O port register might have a side effect or might allow you to snoop h/w interactions, such as keyboard input. I can provide an additional config option to allow /dev/mem and similar to remain readable - but it needs to be a temporary affair. I can also log accesses to these interfaces so that we can find out what breaks and fix it. Note that dmidecode doesn't necessarily use /dev/mem: [root@andromeda ~]# strace -f -eopen dmidecode >/dev/null open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/sys/firmware/dmi/tables/smbios_entry_point", O_RDONLY) = 3 open("/sys/firmware/dmi/tables/DMI", O_RDONLY) = 3 +++ exited with 0 +++ Indeed, my Fedora 24 test system boots without a /dev/mem file being present (I'm not sure *why* /dev/mem isn't present, but I hadn't noticed till now). David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 593a8818aca9..0ce5ac0a5c6b 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -762,6 +762,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; }