summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMatthew Garrett <mjg59@srcf.ucam.org>2019-08-20 02:17:48 +0200
committerJames Morris <jmorris@namei.org>2019-08-20 06:54:16 +0200
commit96c4f67293e4cd8b3394adce5a8041a2784e68a3 (patch)
tree3751173c1272f25476857239381f2c63165ee7cf /security
parentPCI: Lock down BAR access when the kernel is locked down (diff)
downloadlinux-96c4f67293e4cd8b3394adce5a8041a2784e68a3.tar.xz
linux-96c4f67293e4cd8b3394adce5a8041a2784e68a3.zip
x86: Lock down IO port access when the kernel is locked down
IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> cc: x86@kernel.org Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/lockdown/lockdown.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 410e90eda848..8b7d65dbb086 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_KEXEC] = "kexec of unsigned images",
[LOCKDOWN_HIBERNATION] = "hibernation",
[LOCKDOWN_PCI_ACCESS] = "direct PCI access",
+ [LOCKDOWN_IOPORT] = "raw io port access",
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};