diff options
Diffstat (limited to 'debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch')
| -rw-r--r-- | debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch new file mode 100644 index 000000000..3a9d69dcb --- /dev/null +++ b/debian/patches/features/all/lockdown/0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -0,0 +1,46 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Wed, 8 Nov 2017 15:11:34 +0000 +Subject: [12/29] x86: Lock down IO port access when the kernel is locked down +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=00ebba940247d4c37c06da4aedecf6b80db213cf + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO +register space. This would potentially permit root to trigger arbitrary +DMA, so lock it down by default. + +This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and +KDDISABIO console ioctls. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com> +cc: x86@kernel.org +--- + arch/x86/kernel/ioport.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: linux/arch/x86/kernel/ioport.c +=================================================================== +--- linux.orig/arch/x86/kernel/ioport.c ++++ linux/arch/x86/kernel/ioport.c +@@ -31,7 +31,8 @@ long ksys_ioperm(unsigned long from, uns + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("ioperm"))) + return -EPERM; + + /* +@@ -126,7 +127,8 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || ++ kernel_is_locked_down("iopl")) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | |