| Message ID | 150842482228.7923.9630520914833154257.stgit@warthog.procyon.org.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, 19 Oct 2017, David Howells wrote: > Disallow access to /proc/kcore when the kernel is locked down to prevent > access to cryptographic data. > > Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: James Morris <james.l.morris@oracle.com> I have to wonder, though, after everything is locked down, how easy will it be for new things to slip in which need to be included in the lockdown, but are not.
James Morris <james.l.morris@oracle.com> wrote: > I have to wonder, though, after everything is locked down, how easy will > it be for new things to slip in which need to be included in the lockdown, > but are not. That's always a possibility, and short of reviewing every change, particularly in the drivers, I'm not sure how to prevent it. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index 45629f4b5402..176cf749e650 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -549,6 +549,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) static int open_kcore(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/proc/kcore")) + return -EPERM; if (!capable(CAP_SYS_RAWIO)) return -EPERM;
Disallow access to /proc/kcore when the kernel is locked down to prevent access to cryptographic data. Signed-off-by: David Howells <dhowells@redhat.com> --- fs/proc/kcore.c | 2 ++ 1 file changed, 2 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html