git.baikalelectronics.ru Git - kernel.git/commit

author	Matthew Garrett <mjg59@srcf.ucam.org>
	Tue, 20 Aug 2019 00:17:41 +0000 (17:17 -0700)
committer	James Morris <jmorris@namei.org>
	Tue, 20 Aug 2019 04:54:15 +0000 (21:54 -0700)
commit	7b316d9c5111f02a4950d5bee137a35f6fc69bee
tree	aa5a6719f76556e20ce1ca6e286d10660f1746f5	tree \| snapshot
parent	d664aa16804a2a94dadf5bdca83af5e5bc2fe1e4	commit \| diff

lockdown: Restrict /dev/{mem,kmem,port} when the kernel is locked down

Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: x86@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>

drivers/char/mem.c		diff \| blob \| history
include/linux/security.h		diff \| blob \| history
security/lockdown/lockdown.c		diff \| blob \| history