From patchwork Thu Mar  9 21:19:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tycho Andersen <tycho@docker.com>
X-Patchwork-Id: 9614209
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	250CA60417
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  9 Mar 2017 21:29:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 139EA286BF
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  9 Mar 2017 21:29:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 07F43286C3; Thu,  9 Mar 2017 21:29:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3E5D9286BC
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  9 Mar 2017 21:28:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753120AbdCIV27 (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Thu, 9 Mar 2017 16:28:59 -0500
Received: from mail-pg0-f49.google.com ([74.125.83.49]:35164 "EHLO
	mail-pg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752466AbdCIV26 (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Thu, 9 Mar 2017 16:28:58 -0500
Received: by mail-pg0-f49.google.com with SMTP id b129so30763308pgc.2
	for <linux-security-module@vger.kernel.org>;
	Thu, 09 Mar 2017 13:28:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=docker.com; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=1W+QQ9ERGMzFLCWMGyU42SmyGxMm8Rf7LOFexwKBFlQ=;
	b=KeeoO5tXJbL+Fo7W2h1OXoRrzdSZvIA0G5SUIgvGcmu6XlG2cNfdM15dqAQw+MPFig
	HShu68q9EnM99bNXD42xcbGEQvqKtBUhkULcQSzD9u2hZ0Z0Sov6Lrl4xzs3MBT2YWZS
	eYaGufYsuenXrjnNkfDEUynKoxmn51L/Lk18I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=1W+QQ9ERGMzFLCWMGyU42SmyGxMm8Rf7LOFexwKBFlQ=;
	b=otVwIuMMSrttJtcZLmAx8QsQKY3RyXgOKvuhgT6YJZbn7L6aXnqeifbaxeVLDQIy+d
	OWIdA46dPBcvECgMgFmKiUO6bMmuWueNfxeSzkMfsUtW0BimmgvMMpK5nerGGOPesYTB
	WgaAXjzNnVf9AqfLhADHPjrlnwpCCjXmJ7yrLxJBs99DpzN8eTETQvC+en8e1vGNSH/d
	qQRHcM6l9iK5w73OoCOW6Fp9rKdwbrX9OZjt1+nt2oKeC16Z+1odd9yMamFu/EU4/m46
	Hd8Mm/DsfiMdjL2fxorFfvoVgeeYovwqxS9d6XgWnAzaQeiGUddtWWucXIUoZmwCdfiM
	5gbA==
X-Gm-Message-State: 
 AMke39m/8zxGieOp3l63YuJRml5cgpCBnmcKmCsKGDpasUA+FPYU3+ZZokR+qHazsNxCc5iM
X-Received: by 10.84.241.69 with SMTP id u5mr20090818plm.107.1489094423521;
	Thu, 09 Mar 2017 13:20:23 -0800 (PST)
Received: from docker-Precision-5510.docker.com
	(50-233-46-102-static.hfc.comcastbusiness.net. [50.233.46.102])
	by smtp.gmail.com with ESMTPSA id
	g29sm14253772pfg.37.2017.03.09.13.20.22
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 09 Mar 2017 13:20:22 -0800 (PST)
From: Tycho Andersen <tycho@docker.com>
To: Kees Cook <keescook@chromium.org>,
	James Morris <james.l.morris@oracle.com>
Cc: linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, Tycho Andersen <tycho@docker.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH v3] security/Kconfig: further restrict HARDENED_USERCOPY
Date: Thu,  9 Mar 2017 13:19:49 -0800
Message-Id: <1489094389-28007-1-git-send-email-tycho@docker.com>
X-Mailer: git-send-email 2.7.4
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

It doesn't make sense to have HARDENED_USERCOPY when either /dev/kmem is
enabled or /dev/mem can be used to read kernel memory (i.e.
!STRICT_DEVMEM).

v2: add !MMU depend as well
v3: drop !MMU, s/ARCH_HAS_DEVMEM_IS_ALLOWED/DEVMEM, which makes the above
    commit message actually match the logic again

Signed-off-by: Tycho Andersen <tycho@docker.com>
CC: Kees Cook <keescook@chromium.org>
CC: "Serge E. Hallyn" <serge@hallyn.com>
CC: James Morris <james.l.morris@oracle.com>
---
 security/Kconfig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..4619cee 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -142,6 +142,8 @@ config HARDENED_USERCOPY
 	bool "Harden memory copies between kernel and userspace"
 	depends on HAVE_ARCH_HARDENED_USERCOPY
 	depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
+	depends on !DEVKMEM
+	depends on !DEVMEM || STRICT_DEVMEM
 	select BUG
 	help
 	  This option checks for obviously wrong memory regions when