From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Wed, 5 Apr 2017 16:40:30 +0000 (+0100)
Subject: Restrict /dev/mem and /dev/kmem when the kernel is locked down
X-Git-Tag: archive/raspbian/4.15.4-1+rpi1~56
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=996381c82924fae9320429cf25257a2af1485836;p=linux.git

Restrict /dev/mem and /dev/kmem when the kernel is locked down

Allowing users to write to address space makes it possible for the kernel to
be subverted, avoiding module loading restrictions.  Prevent this when the
kernel has been locked down.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
Signed-off-by: David Howells <dhowells@redhat.com>

Gbp-Pq: Topic features/all/lockdown
Gbp-Pq: Name 0042-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
---

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 970e1242a28..d0cc69aa3af 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -180,6 +180,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
 	if (p != *ppos)
 		return -EFBIG;
 
+	if (kernel_is_locked_down())
+		return -EPERM;
+
 	if (!valid_phys_addr_range(p, count))
 		return -EFAULT;
 
@@ -541,6 +544,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
 	int err = 0;
 
+	if (kernel_is_locked_down())
+		return -EPERM;
+
 	if (p < (unsigned long) high_memory) {
 		unsigned long to_write = min_t(unsigned long, count,
 					       (unsigned long)high_memory - p);