Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Sep 24, 2020. It is now read-only.

Roll back to 4.9.24 for stable #53

Merged
merged 18 commits into from
Apr 24, 2017
Merged

Roll back to 4.9.24 for stable #53

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
32f0bb6
Add secure_modules() call
Aug 9, 2013
8cc7c3a
PCI: Lock down BAR access when module security is enabled
Mar 8, 2012
a191b45
x86: Lock down IO port access when module security is enabled
Mar 8, 2012
f022ee2
ACPI: Limit access to custom_method
Mar 9, 2012
ee2b27f
asus-wmi: Restrict debugfs interface when module loading is restricted
Mar 9, 2012
d09cc7f
Restrict /dev/mem and /dev/kmem when module loading is restricted
Mar 9, 2012
e7ba6c6
acpi: Ignore acpi_rsdp kernel parameter when module loading is restri…
jwboyer Jun 25, 2012
14b62c4
kexec: Disable at runtime if the kernel enforces module loading restr…
Nov 20, 2015
6bc71c7
x86: Restrict MSR access when module loading is restricted
Feb 8, 2013
635d13f
Add option to automatically enforce module signatures when in Secure …
Aug 9, 2013
69f2559
efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
Aug 27, 2013
cbc0cd9
efi: Add EFI_SECURE_BOOT bit
Aug 27, 2013
c80f870
hibernate: Disable in a signed modules environment
Jun 20, 2014
c9f538d
kbuild: derive relative path for KBUILD_SRC from CURDIR
Nov 25, 2015
e1fde4f
Add arm64 coreos verity hash
glevand Nov 12, 2016
33f3d95
selinux: allow context mounts on tmpfs, ramfs, devpts within user nam…
stephensmalley Jan 9, 2017
4453acc
perf/x86/intel/rapl: Make package handling more robust
KAGA-KOKO Jan 31, 2017
d339b36
perf/x86/intel/uncore: Make package handling more robust
KAGA-KOKO Jan 31, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
x86: Lock down IO port access when module security is enabled 
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
space. This would potentially permit root to trigger arbitrary DMA, so lock
it down by default.

Signed-off-by: Matthew Garrett <[email protected]>
  • Loading branch information
@bgilbert
Matthew Garrett authored and bgilbert committed Apr 24, 2017
commit a191b452265caa2ed0d5e48de302ee6546751695
5 changes: 3 additions & 2 deletions arch/x86/kernel/ioport.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#include <linux/thread_info.h>
#include <linux/syscalls.h>
#include <linux/bitmap.h>
#include <linux/module.h>
#include <asm/syscalls.h>

/*
Expand All @@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)

if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
if (turn_on && !capable(CAP_SYS_RAWIO))
if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules()))
return -EPERM;

/*
Expand Down Expand Up @@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
return -EINVAL;
/* Trying to gain more privileges? */
if (level > old) {
if (!capable(CAP_SYS_RAWIO))
if (!capable(CAP_SYS_RAWIO) || secure_modules())
return -EPERM;
}
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
Expand Down
4 changes: 4 additions & 0 deletions drivers/char/mem.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
#include <linux/export.h>
#include <linux/io.h>
#include <linux/uio.h>
#include <linux/module.h>

#include <linux/uaccess.h>

Expand Down Expand Up @@ -600,6 +601,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
unsigned long i = *ppos;
const char __user *tmp = buf;

if (secure_modules())
return -EPERM;

if (!access_ok(VERIFY_READ, buf, count))
return -EFAULT;
while (count-- > 0 && i < 65536) {
Expand Down