From a511ca8a3a6e47e674eccd19e1c6da03e5e16c65 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Mon, 18 Feb 2019 12:44:58 +0000 Subject: [PATCH] Restrict /dev/{mem,kmem,port} when the kernel is locked down Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" Gbp-Pq: Topic features/all/lockdown Gbp-Pq: Name 0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch --- drivers/char/mem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index b08dc50f9f2..0a2f2e75d5f 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down("/dev/mem,kmem,port")) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } -- 2.30.2