x86: Lock down IO port access when the kernel is locked down

IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default. This also implicitly locks down the KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> cc: x86@kernel.org Signed-off-by: James Morris <jmorris@namei.org>
author: Matthew Garrett <mjg59@srcf.ucam.org> 2019-08-19 17:17:48 -0700
committer: James Morris <jmorris@namei.org> 2019-08-19 21:54:16 -0700
commit: 96c4f67293e4cd8b3394adce5a8041a2784e68a3 (patch)
tree: 3751173c1272f25476857239381f2c63165ee7cf /security
parent: eb627e17727ebeede70697ae1798688b0d328b54 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 410e90eda848..8b7d65dbb086 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -23,6 +23,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_KEXEC] = "kexec of unsigned images",
 	[LOCKDOWN_HIBERNATION] = "hibernation",
 	[LOCKDOWN_PCI_ACCESS] = "direct PCI access",
+	[LOCKDOWN_IOPORT] = "raw io port access",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
 };
author	Matthew Garrett <mjg59@srcf.ucam.org>	2019-08-19 17:17:48 -0700
committer	James Morris <jmorris@namei.org>	2019-08-19 21:54:16 -0700
commit	96c4f67293e4cd8b3394adce5a8041a2784e68a3 (patch)
tree	3751173c1272f25476857239381f2c63165ee7cf /security
parent	eb627e17727ebeede70697ae1798688b0d328b54 (diff)