From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Garrett <matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH V3 03/11] x86: Lock down IO port access when module
 security is enabled
Date: Thu, 5 Sep 2013 03:58:45 +0000
Message-ID: <1378353524.13193.26.camel@x230>
References: <1378252218-18798-1-git-send-email-matthew.garrett@nebula.com>
	 <1378252218-18798-4-git-send-email-matthew.garrett@nebula.com>
	 <5227FFE8.5050102@zytor.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
In-Reply-To: <5227FFE8.5050102-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
Content-Language: en-US
Content-ID: <20382F52C93E8C47A347896EBF08F954-HX+pjaQZbrqcE4WynfumptQqCkab/8FMAL8bYrjMMd8@public.gmane.org>
Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
To: "H. Peter Anvin" <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
Cc: "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, "linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" <linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, "keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org" <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
List-Id: linux-efi@vger.kernel.org

T24gV2VkLCAyMDEzLTA5LTA0IGF0IDIwOjUyIC0wNzAwLCBILiBQZXRlciBBbnZpbiB3cm90ZToN
Cj4gT24gMDkvMDMvMjAxMyAwNDo1MCBQTSwgTWF0dGhldyBHYXJyZXR0IHdyb3RlOg0KPiA+IElP
IHBvcnQgYWNjZXNzIHdvdWxkIHBlcm1pdCB1c2VycyB0byBnYWluIGFjY2VzcyB0byBQQ0kgY29u
ZmlndXJhdGlvbg0KPiA+IHJlZ2lzdGVycywgd2hpY2ggaW4gdHVybiAob24gYSBsb3Qgb2YgaGFy
ZHdhcmUpIGdpdmUgYWNjZXNzIHRvIE1NSU8gcmVnaXN0ZXINCj4gPiBzcGFjZS4gVGhpcyB3b3Vs
ZCBwb3RlbnRpYWxseSBwZXJtaXQgcm9vdCB0byB0cmlnZ2VyIGFyYml0cmFyeSBETUEsIHNvIGxv
Y2sNCj4gPiBpdCBkb3duIGJ5IGRlZmF1bHQuDQo+ID4gDQo+ID4gU2lnbmVkLW9mZi1ieTogTWF0
dGhldyBHYXJyZXR0IDxtYXR0aGV3LmdhcnJldHRAbmVidWxhLmNvbT4NCj4gDQo+IFNlcmlvdXNs
eS4uLiBqdXN0IGRlbnkgQ0FQX1NZU19SQVdJTyB0byBhbnkgc3lzdGVtIGluIHNlY3VyZSBtb2Rl
Lg0KDQpOby4gQ0FQX1NZU19SQVdJTyBibG9ja3MgdGhpbmdzIHRoYXQgd2UgZG9uJ3Qgd2FudCBi
bG9ja2VkICh4ODYNCm1pY3JvY29kZSB1cGRhdGVzLCB2YXJpb3VzIGRpc2sgaW9jdGxzLCAqZGV2
aWNlIGZpcm13YXJlIHVwbG9hZHMqIGFuZCBhDQpmZXcgb3RoZXJzKSAtIHRoZSBzZW1hbnRpY3Mg
anVzdCBkb24ndCBtYXRjaC4gV2UgY291bGQgcmVsYXggdGhvc2UNCnBlcm1pc3Npb25zLCBidXQg
dGhlbiB3ZSdkIHBvdGVudGlhbGx5IGJyZWFrIHNvbWVvbmUgZWxzZSdzIHNlY3VyaXR5DQpjb25z
aWRlcmF0aW9ucy4NCg0KLS0gDQpNYXR0aGV3IEdhcnJldHQgPG1hdHRoZXcuZ2FycmV0dEBuZWJ1
bGEuY29tPg0K

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754146Ab3IED6w (ORCPT <rfc822;w@1wt.eu>);
	Wed, 4 Sep 2013 23:58:52 -0400
Received: from mail-bl2lp0205.outbound.protection.outlook.com ([207.46.163.205]:13424
	"EHLO na01-bl2-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1753829Ab3IED6u (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 4 Sep 2013 23:58:50 -0400
From: Matthew Garrett <matthew.garrett@nebula.com>
To: "H. Peter Anvin" <hpa@zytor.com>
CC: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
        "keescook@chromium.org" <keescook@chromium.org>
Subject: Re: [PATCH V3 03/11] x86: Lock down IO port access when module
 security is enabled
Thread-Topic: [PATCH V3 03/11] x86: Lock down IO port access when module
 security is enabled
Thread-Index: AQHOqQBh9VrXJc6zbUqVxxtEmQPfAJm2hJUAgAAB2AA=
Date: Thu, 5 Sep 2013 03:58:45 +0000
Message-ID: <1378353524.13193.26.camel@x230>
References: <1378252218-18798-1-git-send-email-matthew.garrett@nebula.com>
	 <1378252218-18798-4-git-send-email-matthew.garrett@nebula.com>
	 <5227FFE8.5050102@zytor.com>
In-Reply-To: <5227FFE8.5050102@zytor.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [209.6.207.143]
x-forefront-prvs: 096029FF66
x-forefront-antispam-report: SFV:NSPM;SFS:(479174003)(377454003)(24454002)(189002)(199002)(377424004)(51704005)(51856001)(4396001)(66066001)(33716001)(80022001)(83072001)(59766001)(46102001)(77982001)(65816001)(81816001)(33646001)(81686001)(79102001)(81342001)(50986001)(47976001)(47736001)(49866001)(74876001)(54356001)(76482001)(81542001)(54316002)(56776001)(63696002)(74502001)(31966008)(74662001)(47446002)(19580405001)(74706001)(83322001)(56816003)(77096001)(76786001)(76796001)(69226001)(74366001)(19580395003)(80976001)(53806001);DIR:OUT;SFP:;SCL:1;SRVR:BY2PR05MB224;H:BY2PR05MB222.namprd05.prod.outlook.com;CLIP:209.6.207.143;RD:InfoNoRecords;MX:1;A:1;LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <20382F52C93E8C47A347896EBF08F954@namprd05.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: nebula.com
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id r853wu4n027492

On Wed, 2013-09-04 at 20:52 -0700, H. Peter Anvin wrote:
> On 09/03/2013 04:50 PM, Matthew Garrett wrote:
> > IO port access would permit users to gain access to PCI configuration
> > registers, which in turn (on a lot of hardware) give access to MMIO register
> > space. This would potentially permit root to trigger arbitrary DMA, so lock
> > it down by default.
> > 
> > Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
> 
> Seriously... just deny CAP_SYS_RAWIO to any system in secure mode.

No. CAP_SYS_RAWIO blocks things that we don't want blocked (x86
microcode updates, various disk ioctls, *device firmware uploads* and a
few others) - the semantics just don't match. We could relax those
permissions, but then we'd potentially break someone else's security
considerations.

-- 
Matthew Garrett <matthew.garrett@nebula.com>
���{.n�+�������+%�����ݶ��w��{.n�+����{��G�����{ay�ʇڙ�,j��f���h��������z_�(�階�ݢj"���m������G������?����&���~��iO��z��v�^�m����������?�I�