Restrict /dev/{mem,kmem,port} when the kernel is locked down

Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0005-Restrict-dev-mem-kmem-port-when-the-kernel-is-locked.patch

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 6aefe5370e5b15c45bda8e156ccdfd1b99e9e3f5..46484a6e31c95a2097f110bfa4bf2c53c59854fd 100644 (file)
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -767,6 +767,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
 
 static int open_port(struct inode *inode, struct file *filp)
 {
+       if (kernel_is_locked_down("/dev/mem,kmem,port"))
+               return -EPERM;
        return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
 }