From eab9ee2e00234178efbc3fc3d35c0ffa7abc3ec7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 5 Apr 2017 17:40:30 +0100 Subject: [PATCH] x86: Lock down IO port access when the kernel is locked down IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Gbp-Pq: Topic features/all/lockdown Gbp-Pq: Name 0050-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch --- arch/x86/kernel/ioport.c | 4 ++-- drivers/char/mem.c | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c index 3feb648781c..b55488c3a45 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -31,7 +31,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; - if (turn_on && !capable(CAP_SYS_RAWIO)) + if (turn_on && (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down())) return -EPERM; /* @@ -121,7 +121,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || kernel_is_locked_down()) return -EPERM; } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c index d0cc69aa3af..cd2d9b3bd68 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -769,6 +769,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) static int open_port(struct inode *inode, struct file *filp) { + if (kernel_is_locked_down()) + return -EPERM; return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; } -- 2.30.2