Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Sep 24, 2020. It is now read-only.

*: backport changes from v4.3-coreos #4

Merged
merged 21 commits into from
Dec 17, 2015
Merged

*: backport changes from v4.3-coreos #4

Changes from 1 commit
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
a4715e7
Add secure_modules() call
Aug 9, 2013
59a1862
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
0e48816
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
e7814fd
ACPI: Limit access to custom_method
Mar 9, 2012
80198ae
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
c92077b
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
60daa41
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
7610966
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
fa15f4f
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
a111cd3
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
b19e692
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
783e023
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
dee15a2
hibernate: Disable in a signed modules environment
Jun 20, 2014
33a9f95
Security: Provide copy-up security hooks for unioned files
dhowells Jun 16, 2015
f34a790
Overlayfs: Use copy-up security hooks
dhowells Jun 16, 2015
ea05ed2
SELinux: Stub in copy-up handling
dhowells Jun 16, 2015
3a1a354
SELinux: Handle opening of a unioned file
dhowells Jun 16, 2015
8b5096e
SELinux: Check against union label for file operations
dhowells Jun 16, 2015
ed6d767
net/wireless/wl18xx: Add missing MODULE_FIRMWARE
glevand Sep 2, 2015
e815c8b
overlayfs: use a minimal buffer in ovl_copy_xattr
Oct 20, 2015
337f09a
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Restrict /dev/mem and /dev/kmem when module loading is restricted 
Allowing users to write to address space makes it possible for the kernel
to be subverted, avoiding module loading restrictions. Prevent this when
any restrictions have been imposed on loading modules.

Signed-off-by: Matthew Garrett <[email protected]>
  • Loading branch information
@crawford
Matthew Garrett authored and crawford committed Dec 17, 2015
commit c92077b3cd09d5ad55459ff937af8f33112f3309
6 changes: 6 additions & 0 deletions drivers/char/mem.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
if (p != *ppos)
return -EFBIG;

if (secure_modules())
return -EPERM;

if (!valid_phys_addr_range(p, count))
return -EFAULT;

Expand Down Expand Up @@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
int err = 0;

if (secure_modules())
return -EPERM;

if (p < (unsigned long) high_memory) {
unsigned long to_write = min_t(unsigned long, count,
(unsigned long)high_memory - p);
Expand Down