From patchwork Thu Apr 4 00:32:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10884681 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2DCB81800 for ; Thu, 4 Apr 2019 00:35:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 17EC728936 for ; Thu, 4 Apr 2019 00:35:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0C40328958; Thu, 4 Apr 2019 00:35:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ACC1928936 for ; Thu, 4 Apr 2019 00:35:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726789AbfDDAdY (ORCPT ); Wed, 3 Apr 2019 20:33:24 -0400 Received: from mail-ua1-f74.google.com ([209.85.222.74]:37855 "EHLO mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726879AbfDDAdX (ORCPT ); Wed, 3 Apr 2019 20:33:23 -0400 Received: by mail-ua1-f74.google.com with SMTP id w19so147240uar.4 for ; Wed, 03 Apr 2019 17:33:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=; b=QRSZ0exPdykYG3cj/sT33FZBrVPjgVKfkWxlUaPoJlH+1DajR1vVTmcbDfFyR6avby Wxe4IX3n1oC3chdRudvb0e+ylQ28+iwE2YhKNTqQlSkzpMHCx9hqehJekQmQTDokmLzD mUkkVXl4ZFfV+2k1VnSAdGJSBoZXckgW5Np1Wb2y03jTR/jTtQomaIxjwojXJpKhc54d RbmFl9S2XnDxKq1OmSjsZastyUtz1ogS5H3eMyo7zoETL3YfYxiJLoRJeAiH5J3BOuFd S1pbxEnJEOyBQJoBiT363sBxTIMeCic0LZm2gV8woq1tCeca4SEbm2+knVkM1qWyvagC 3IUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=QnWxYoXtlXDh+QYWjqIOEuesK8IQe5p8ynytMTjRSCY=; b=JkwSBkpacTTDGawyLwEJ1urADmm9zoLpOH3RhQpUVPEQEtYfHOkCtEWdFrv1yrAYm7 WKtnIYXVevs/kuPnaRG6PAMrZqhltbRuVclfq52Az47pxqafDHX3PloY0MPalOuxJ9O7 FgxQV/eKWGsZKdv5R6C4rBFeloPmN+0Xvbs2GJTFmkT6GHnf83uMBSk7ywBtRrkhJkUH xCjS1BhgU0uBMjw3c+jCTGfyKzOIbxXz3PdKrnzLcTN9ub9YDBU/QlhNqH1Ft24qoegR AIMqRI/LgmoQp15zmI63rlbIHnebW30E99Dv06K+b/J9t2DA2x+DeM7hY2VUzXJjixwk PH9Q== X-Gm-Message-State: APjAAAVZLNi8c6iO8pLb5vrAXKBtlT50bMh2iTKxOz6hLpXtvsXBwFtR 64lLMzOX/fy/bN/JYTjUIsWjUvSiA850HNt7VtskQw== X-Google-Smtp-Source: APXvYqyOil3nuWTZ6/0rdgwNmW40JoGvRbCcJ0rRgKX73/Ad46aVWMGAxdMPUwnYWI5bZZbMNYaINRVrrUkWxTpUmAg1uQ== X-Received: by 2002:a1f:746:: with SMTP id 67mr371895vkh.24.1554338002654; Wed, 03 Apr 2019 17:33:22 -0700 (PDT) Date: Wed, 3 Apr 2019 17:32:33 -0700 In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com> Message-Id: <20190404003249.14356-12-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190404003249.14356-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V32 11/27] x86: Lock down IO port access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , x86@kernel.org Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells cc: x86@kernel.org Reviewed-by: Thomas Gleixner --- arch/x86/kernel/ioport.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 0fe1c8782208..febbd7eb847c 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("ioperm", LOCKDOWN_INTEGRITY))) return -EPERM; /* @@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || + kernel_is_locked_down("iopl", LOCKDOWN_INTEGRITY)) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |