Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   /dev/mem restrictions kernel patch (http://www.linux-archive.org/ubuntu-kernel-team/43734-dev-mem-restrictions-kernel-patch.html)

Ben Collins 01-31-2008 01:06 PM

/dev/mem restrictions kernel patch
 
On Wed, 2008-01-30 at 19:49 -0800, Kees Cook wrote:
> On Wed, Jan 30, 2008 at 06:39:23PM -0800, Jeff Schroeder wrote:
> > Arjan van de Ven just posted a kernel patch for /dev/mem security that
> > looks interesting. It doesn't appear to be applied to ubuntu-hardy.git
> > or ubuntu-hardy-kees.git so I'm mentioning it now.
>
> Oh! This looks good. Arjan had mentioned these protections to me a
> while back, so I'm glad to see it has finally hit lkml.
>
> Unless someone on the kernel-team beats me to it, I'll put this into my
> tree for testing when I get back from vacation next week. :)

We had a similar patch before back in dapper, but the patch had major
conflicts past that, so was removed. Very useful though. I'd love to
have it back in there.

--
Ubuntu : http://www.ubuntu.com/
Linux1394: http://wiki.linux1394.org/
SwissDisk: http://www.swissdisk.com/


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Tim Gardner 01-31-2008 01:16 PM

/dev/mem restrictions kernel patch
 
Jeff Schroeder wrote:
> Sorry for the crosspost, but I'm not sure how many of the kernel team
> are on the hardened list.
>
> Arjan van de Ven just posted a kernel patch for /dev/mem security that
> looks interesting. It doesn't appear to be applied to ubuntu-hardy.git
> or ubuntu-hardy-kees.git so I'm mentioning it now.
>
> Since ubuntu appears to be taking a more proactive security approach,
> are there any thoughts about merging this into the Hardy kernel? It is
> a small patch that looks like a big win.
>
> Shamelessly ripped description from http://lkml.org/lkml/2008/1/30/473 :
> --------------------------------------
> This patch introduces a restriction on /dev/mem: Only non-memory can be
> read or written unless the newly introduced config option is set.
>
> The X server needs access to /dev/mem for the PCI space, but it doesn't need
> access to memory; both the file permissions and SELinux permissions of /dev/mem
> just make X effectively super-super powerful. With the exception of the
> BIOS area, there's just no valid app that uses /dev/mem on actual memory.
> Other popular users of /dev/mem are rootkits and the like.
> (note: mmap access of memory via /dev/mem was already not allowed since
> a really long time)
>
> People who want to use /dev/mem for kernel debugging can enable the config
> option.
>
> The restrictions of this patch have been in the Fedora and RHEL kernels for
> at least 4 years without any problems.
> --------------------------------------
>

+1 from me, but it doesn't apply cleanly to current Hardy. I'm gonna let
Kees handle integration and testing.

rtg

--
Tim Gardner tim.gardner@ubuntu.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 01:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.