linux/drivers
Matthew Garrett 9b9d8dda1e lockdown: Restrict /dev/{mem,kmem,port} when the kernel is locked down
Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: x86@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>
2019-08-19 21:54:15 -07:00
..
accessibility treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 70 2019-05-24 17:36:47 +02:00
acpi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
amba treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
android binder: fix possible UAF when freeing buffer 2019-06-13 10:35:55 +02:00
ata treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
atm treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
auxdisplay auxdisplay/ht16k33.c: Convert to use vm_map_pages_zero() 2019-06-20 15:06:24 +02:00
base drivers/base/devres: introduce devm_release_action() 2019-06-13 17:34:56 -10:00
bcma
block treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
bluetooth treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
bus SPDX update for 5.2-rc6 2019-06-21 09:58:42 -07:00
cdrom treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
char lockdown: Restrict /dev/{mem,kmem,port} when the kernel is locked down 2019-08-19 21:54:15 -07:00
clk A handful of clk driver fixes and one core framework fix 2019-06-28 08:50:09 +08:00
clocksource treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
connector treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
counter Second set of IIO fixes for the 5.2 cycle. 2019-06-17 22:28:29 +02:00
cpufreq treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
cpuidle treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
crypto treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
dax mm/devm_memremap_pages: fix final page put race 2019-06-13 17:34:56 -10:00
dca treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 33 2019-05-24 17:27:11 +02:00
devfreq treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
dio treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
dma dmaengine fixes for v5.2 2019-07-06 10:06:37 -07:00
dma-buf treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 234 2019-06-19 17:09:07 +02:00
edac treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
eisa treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 210 2019-05-30 11:29:53 -07:00
extcon treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
firewire treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
firmware Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-06-29 19:32:09 +08:00
fmc treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 60 2019-05-24 17:36:45 +02:00
fpga SPDX update for 5.2-rc4 2019-06-08 12:52:42 -07:00
fsi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 469 2019-06-19 17:09:11 +02:00
gnss treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
gpio gpio/spi: Fix spi-gpio regression on active high CS 2019-07-02 22:31:37 +02:00
gpu drm/imx: fix stale vblank timestamp after a modeset 2019-07-05 14:51:03 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2019-06-28 08:39:18 +08:00
hsi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
hv treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 320 2019-06-05 17:37:05 +02:00
hwmon treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
hwspinlock
hwtracing treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
i2c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
i3c treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
ide treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
idle treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 335 2019-06-05 17:37:06 +02:00
iio Staging/IIO/Counter fixes for 5.2-rc6 2019-06-21 10:20:19 -07:00
infiniband RDMA/efa: Handle mmap insertions overflow 2019-06-18 16:27:24 -04:00
input SPDX update for 5.2-rc6 2019-06-21 09:58:42 -07:00
interconnect treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
iommu IOMMU Fix for v5.2-rc5: 2019-06-22 14:08:47 -07:00
ipack treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-06-29 19:36:53 +08:00
isdn SPDX update for 5.2-rc3, round 1 2019-05-31 08:34:32 -07:00
leds treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
lightnvm treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 410 2019-06-05 17:37:14 +02:00
macintosh treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 247 2019-06-19 17:09:08 +02:00
mailbox treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mcb treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
md - Fix incorrect uses of kstrndup and DM logging macros in DM's early 2019-06-28 08:48:21 +08:00
media treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
memory treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
memstick treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
message treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
mfd - Bug Fixes 2019-06-25 03:41:03 +08:00
misc Char/Misc driver fixes for 5.2-rc6 2019-06-21 10:18:16 -07:00
mmc SPDX update for 5.2-rc6 2019-06-21 09:58:42 -07:00
mtd mtd: rawnand: sunxi: Add A23/A33 DMA support with extra MBUS configuration 2019-07-05 22:30:58 +02:00
mux
net ipv6: constify rt6_nexthop() 2019-06-26 13:26:08 -07:00
nfc treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 417 2019-06-05 17:37:15 +02:00
ntb treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
nubus treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
nvdimm mm/devm_memremap_pages: fix final page put race 2019-06-13 17:34:56 -10:00
nvme Merge branch 'nvme-5.2-rc-next' of git://git.infradead.org/nvme into for-linus 2019-06-07 14:04:28 -06:00
nvmem treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
of treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 428 2019-06-05 17:37:16 +02:00
opp treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
oprofile
parisc SPDX update for 5.2-rc4 2019-06-08 12:52:42 -07:00
parport treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pci PCI: PM: Avoid skipping bus-level PM on platforms without ACPI 2019-06-26 23:51:56 +02:00
pcmcia treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
perf treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
phy treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pinctrl Pin control fixes for the v5.2 cycle: 2019-06-29 16:51:10 +08:00
platform treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pnp treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 150 2019-05-30 11:25:19 -07:00
power treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
powercap treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 309 2019-06-05 17:37:04 +02:00
pps treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
ps3 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 167 2019-05-30 11:26:39 -07:00
ptp treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 167 2019-05-30 11:26:39 -07:00
pwm treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
rapidio treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
ras RAS/CEC: Convert the timer callback to a workqueue 2019-06-07 23:21:39 +02:00
regulator treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
remoteproc treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
reset treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
rpmsg
rtc treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
s390 vfio-ccw: Destroy kmem cache region on module exit 2019-06-13 15:52:28 +02:00
sbus treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
scsi SCSI fixes on 20190628 2019-06-29 16:59:45 +08:00
sfi treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
sh treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
siox treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
slimbus
sn treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
soc This set of patches fixes regressions introduced in v5.2 kernel when DA8xx 2019-07-02 15:13:20 -07:00
soundwire soundwire fixes for v5.2-rc4 2019-06-10 18:07:39 +02:00
spi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
spmi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284 2019-06-05 17:36:37 +02:00
ssb treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
staging Merge branch 'erofs_fix' into staging-linus 2019-06-17 22:59:28 +02:00
target SCSI fixes on 20190705 2019-07-06 09:56:20 -07:00
tc treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
tee treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
thermal treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
thunderbolt thunderbolt: Implement CIO reset correctly for Titan Ridge 2019-06-14 14:25:43 +03:00
tty vt/fbcon: deinitialize resources in visual_init() after failed memory allocation 2019-05-24 17:08:18 +02:00
uio treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
usb usb: fixes for v5.2-rc5 2019-06-20 11:56:35 +02:00
uwb treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 234 2019-06-19 17:09:07 +02:00
vfio treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
vhost treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 482 2019-06-19 17:09:52 +02:00
video treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
virt treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
virtio virtio: Fix indentation of VIRTIO_MMIO 2019-05-27 11:08:22 -04:00
visorbus treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
vlynq treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 102 2019-05-24 17:39:00 +02:00
vme treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
w1 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
watchdog treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xen treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
zorro treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Kconfig
Makefile