x86: introduce /dev/mem restrictions with a config option

This patch introduces a restriction on /dev/mem: Only non-memory can be read or written unless the newly introduced config option is set. The X server needs access to /dev/mem for the PCI space, but it doesn't need access to memory; both the file permissions and SELinux permissions of /dev/mem just make X effectively super-super powerful. With the exception of the BIOS area, there's just no valid app that uses /dev/mem on actual memory. Other popular users of /dev/mem are rootkits and the like. (note: mmap access of memory via /dev/mem was already not allowed since a really long time) People who want to use /dev/mem for kernel debugging can enable the config option. The restrictions of this patch have been in the Fedora and RHEL kernels for at least 4 years without any problems. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Arjan van de Ven <arjan@linux.intel.com> 2008-04-24 17:40:47 -0400
committer: Ingo Molnar <mingo@elte.hu> 2008-04-24 17:40:47 -0400
commit: ae531c26c5c2a28ca1b35a75b39b3b256850f2c8 (patch)
tree: e4c2f3ec25bdb0e2e5f7f15f79a60c3175f03718 /arch
parent: 94bc891b00e40cbec375feb4568780af183fd7f4 (diff)
3 files changed, 51 insertions, 0 deletions
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 610aaecc19f8..0c1890c41279 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -5,6 +5,18 @@ config TRACE_IRQFLAGS_SUPPORT
 source "lib/Kconfig.debug"
+config NONPROMISC_DEVMEM
+        bool "Disable promiscuous /dev/mem"
+        default y
+        help
+          The /dev/mem file by default only allows userspace access to PCI
+          space and the BIOS code and data regions. This is sufficient for
+          dosemu and X and all common users of /dev/mem. With this config
+          option, you allow userspace access to all of memory, including
+          kernel and userspace memory. Accidental access to this is
+          obviously disasterous, but specific access can be used by people
+          debugging the kernel.
 config EARLY_PRINTK
        bool "Early printk" if EMBEDDED
        default y
diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
index 9ec62da85fd7..39852d539018 100644
--- a/arch/x86/mm/init_32.c
+++ b/arch/x86/mm/init_32.c
@@ -227,6 +227,25 @@ static inline int page_kills_ppro(unsigned long pagenr)
        return 0;
 }
+/*
+ * devmem_is_allowed() checks to see if /dev/mem access to a certain address
+ * is valid. The argument is a physical page number.
+ *
+ *
+ * On x86, access has to be given to the first megabyte of ram because that area
+ * contains bios code and data regions used by X and dosemu and similar apps.
+ * Access has to be given to non-kernel-ram areas as well, these contain the PCI
+ * mmio resources as well as potential bios/acpi data regions.
+ */
+int devmem_is_allowed(unsigned long pagenr)
+{
+        if (pagenr <= 256)
+                return 1;
+        if (!page_is_ram(pagenr))
+                return 1;
+        return 0;
+}
 #ifdef CONFIG_HIGHMEM
 pte_t *kmap_pte;
 pgprot_t kmap_prot;
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 1ff7906a9a4d..49c274ee2fba 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -664,6 +664,26 @@ EXPORT_SYMBOL_GPL(memory_add_physaddr_to_nid);
 #endif /* CONFIG_MEMORY_HOTPLUG */
+/*
+ * devmem_is_allowed() checks to see if /dev/mem access to a certain address
+ * is valid. The argument is a physical page number.
+ *
+ *
+ * On x86, access has to be given to the first megabyte of ram because that area
+ * contains bios code and data regions used by X and dosemu and similar apps.
+ * Access has to be given to non-kernel-ram areas as well, these contain the PCI
+ * mmio resources as well as potential bios/acpi data regions.
+ */
+int devmem_is_allowed(unsigned long pagenr)
+{
+        if (pagenr <= 256)
+                return 1;
+        if (!page_is_ram(pagenr))
+                return 1;
+        return 0;
+}
 static struct kcore_list kcore_mem, kcore_vmalloc, kcore_kernel,
                         kcore_modules, kcore_vsyscall;
author	Arjan van de Ven <arjan@linux.intel.com>	2008-04-24 17:40:47 -0400
committer	Ingo Molnar <mingo@elte.hu>	2008-04-24 17:40:47 -0400
commit	ae531c26c5c2a28ca1b35a75b39b3b256850f2c8 (patch)
tree	e4c2f3ec25bdb0e2e5f7f15f79a60c3175f03718 /arch
parent	94bc891b00e40cbec375feb4568780af183fd7f4 (diff)

diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug index 610aaecc19f8..0c1890c41279 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug
@@ -5,6 +5,18 @@ config TRACE_IRQFLAGS_SUPPORT
5		5
6	source "lib/Kconfig.debug"	6	source "lib/Kconfig.debug"
7		7
		8	config NONPROMISC_DEVMEM
		9	bool "Disable promiscuous /dev/mem"
		10	default y
		11	help
		12	The /dev/mem file by default only allows userspace access to PCI
		13	space and the BIOS code and data regions. This is sufficient for
		14	dosemu and X and all common users of /dev/mem. With this config
		15	option, you allow userspace access to all of memory, including
		16	kernel and userspace memory. Accidental access to this is
		17	obviously disasterous, but specific access can be used by people
		18	debugging the kernel.
		19
8	config EARLY_PRINTK	20	config EARLY_PRINTK
9	bool "Early printk" if EMBEDDED	21	bool "Early printk" if EMBEDDED
10	default y	22	default y


diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c index 9ec62da85fd7..39852d539018 100644 --- a/arch/x86/mm/init_32.c +++ b/arch/x86/mm/init_32.c
@@ -227,6 +227,25 @@ static inline int page_kills_ppro(unsigned long pagenr)
227	return 0;	227	return 0;
228	}	228	}
229		229
		230	/*
		231	* devmem_is_allowed() checks to see if /dev/mem access to a certain address
		232	* is valid. The argument is a physical page number.
		233	*
		234	*
		235	* On x86, access has to be given to the first megabyte of ram because that area
		236	* contains bios code and data regions used by X and dosemu and similar apps.
		237	* Access has to be given to non-kernel-ram areas as well, these contain the PCI
		238	* mmio resources as well as potential bios/acpi data regions.
		239	*/
		240	int devmem_is_allowed(unsigned long pagenr)
		241	{
		242	if (pagenr <= 256)
		243	return 1;
		244	if (!page_is_ram(pagenr))
		245	return 1;
		246	return 0;
		247	}
		248
230	#ifdef CONFIG_HIGHMEM	249	#ifdef CONFIG_HIGHMEM
231	pte_t *kmap_pte;	250	pte_t *kmap_pte;
232	pgprot_t kmap_prot;	251	pgprot_t kmap_prot;


diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index 1ff7906a9a4d..49c274ee2fba 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c
@@ -664,6 +664,26 @@ EXPORT_SYMBOL_GPL(memory_add_physaddr_to_nid);
664		664
665	#endif /* CONFIG_MEMORY_HOTPLUG */	665	#endif /* CONFIG_MEMORY_HOTPLUG */
666		666
		667	/*
		668	* devmem_is_allowed() checks to see if /dev/mem access to a certain address
		669	* is valid. The argument is a physical page number.
		670	*
		671	*
		672	* On x86, access has to be given to the first megabyte of ram because that area
		673	* contains bios code and data regions used by X and dosemu and similar apps.
		674	* Access has to be given to non-kernel-ram areas as well, these contain the PCI
		675	* mmio resources as well as potential bios/acpi data regions.
		676	*/
		677	int devmem_is_allowed(unsigned long pagenr)
		678	{
		679	if (pagenr <= 256)
		680	return 1;
		681	if (!page_is_ram(pagenr))
		682	return 1;
		683	return 0;
		684	}
		685
		686
667	static struct kcore_list kcore_mem, kcore_vmalloc, kcore_kernel,	687	static struct kcore_list kcore_mem, kcore_vmalloc, kcore_kernel,
668	kcore_modules, kcore_vsyscall;	688	kcore_modules, kcore_vsyscall;
669		689