UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem, kmem, port} when the kernel is locked down

BugLink: https://bugs.launchpad.net/bugs/1884159 Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> (backported from commit 2eada4c7af2d4e9522a47523d2a5106d96271cd9 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

UBUNTU: SAUCE: (efi-lockdown) Restrict /dev/{mem, kmem, port} when the kernel is locked down
BugLink: https://bugs.launchpad.net/bugs/1884159 Allowing users to read and write to core kernel memory makes it possible for the kernel to be subverted, avoiding module loading restrictions, and also to steal cryptographic information. Disallow /dev/mem and /dev/kmem from being opened this when the kernel has been locked down to prevent this. Also disallow /dev/port from being opened to prevent raw ioport access and thus DMA from being used to accomplish the same thing. Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> (backported from commit 2eada4c7af2d4e9522a47523d2a5106d96271cd9 git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git) Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
764f4025 · Matthew Garrett · Khalid Elmously · 009ff27a · 764f4025
Commit 764f4025 authored Jun 19, 2020 by Matthew Garrett Committed by Khalid Elmously Jun 30, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

drivers/char/mem.c drivers/char/mem.c +3 -0

No files found.
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -8,6 +8,7 @@
 *  Shared /dev/zero mmapping support, Feb 2000, Kanoj Sarcar <kanoj@sgi.com>
 */

+#include <linux/module.h>
 #include <linux/mm.h>
 #include <linux/miscdevice.h>
 #include <linux/slab.h>
@@ -756,6 +757,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)

 static int open_port(struct inode *inode, struct file *filp)
 {
+	if (secure_modules())
+		return -EPERM;
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
 }