ea38f2f
From e7817a96c7ef1b502dba6f70b75f9e8993a8750b Mon Sep 17 00:00:00 2001
6a91557
From: Matthew Garrett <matthew.garrett@nebula.com>
6a91557
Date: Thu, 8 Mar 2012 10:35:59 -0500
ea38f2f
Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
ea38f2f
 enabled
6a91557
6a91557
IO port access would permit users to gain access to PCI configuration
6a91557
registers, which in turn (on a lot of hardware) give access to MMIO register
6a91557
space. This would potentially permit root to trigger arbitrary DMA, so lock
6a91557
it down by default.
6a91557
6a91557
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
6a91557
---
6a91557
 arch/x86/kernel/ioport.c | 5 +++--
6a91557
 drivers/char/mem.c       | 4 ++++
6a91557
 2 files changed, 7 insertions(+), 2 deletions(-)
6a91557
6a91557
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
6a44257
index 589b3193f102..ab8372443efb 100644
6a91557
--- a/arch/x86/kernel/ioport.c
6a91557
+++ b/arch/x86/kernel/ioport.c
6a91557
@@ -15,6 +15,7 @@
6a91557
 #include <linux/thread_info.h>
6a91557
 #include <linux/syscalls.h>
6a91557
 #include <linux/bitmap.h>
6a91557
+#include <linux/module.h>
6a91557
 #include <asm/syscalls.h>
6a91557
 
6a91557
 /*
6a91557
@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
6a91557
 
6a91557
 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
6a91557
 		return -EINVAL;
6a91557
-	if (turn_on && !capable(CAP_SYS_RAWIO))
6a91557
+	if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
6a91557
 		return -EPERM;
6a91557
 
6a91557
 	/*
6a44257
@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
6a91557
 		return -EINVAL;
6a91557
 	/* Trying to gain more privileges? */
6a91557
 	if (level > old) {
6a91557
-		if (!capable(CAP_SYS_RAWIO))
6a91557
+		if (!capable(CAP_SYS_RAWIO) || secure_modules())
6a91557
 			return -EPERM;
6a91557
 	}
6a44257
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
6a91557
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
ea38f2f
index 5bb1985ec484..7f1a7ab5850d 100644
6a91557
--- a/drivers/char/mem.c
6a91557
+++ b/drivers/char/mem.c
ea38f2f
@@ -28,6 +28,7 @@
6a91557
 #include <linux/export.h>
6a91557
 #include <linux/io.h>
cc7213f
 #include <linux/uio.h>
6a91557
+#include <linux/module.h>
6a91557
 
f1193f2
 #include <linux/uaccess.h>
6a91557
 
ea38f2f
@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
6a91557
 	unsigned long i = *ppos;
6a91557
 	const char __user *tmp = buf;
6a91557
 
6a91557
+	if (secure_modules())
6a91557
+		return -EPERM;
6a91557
+
6a91557
 	if (!access_ok(VERIFY_READ, buf, count))
6a91557
 		return -EFAULT;
6a91557
 	while (count-- > 0 && i < 65536) {
18c8249
-- 
ea38f2f
2.9.3
18c8249