From: "H. Peter Anvin" <hpa@zytor.com>
To: Matthew Garrett <matthew.garrett@nebula.com>
Cc: linux-pci@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-efi@vger.kernel.org, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL
Date: Tue, 19 Mar 2013 18:02:53 -0700 [thread overview]
Message-ID: <51490ABD.3050205@zytor.com> (raw)
In-Reply-To: <1363642353-30749-1-git-send-email-matthew.garrett@nebula.com>
On 03/18/2013 02:32 PM, Matthew Garrett wrote:
>
> This means we can return our focus to the kernel. There's currently a number
> of kernel interfaces that permit privileged userspace to modify the running
> kernel. These are currently protected by CAP_SYS_RAWIO, but unfortunately
> the semantics of this capability are poorly defined and it now covers a large
> superset of the desired behaviour.
>
... except it doesn't.
Looking at it in detail, EVERYTHING in CAP_SYS_RAWIO has the possibility
of compromising the kernel, because they let device drivers be bypassed,
which means arbitrary DMA, which means you have everything.
Now, a lot of the abuses of CAP_SYS_RAWIO have clearly been added by
people who had *no bloody clue* what that capability meant, but it
really doesn't change the fact that pretty much if you have
CAP_SYS_RAWIO you have the machine.
So just reject CAP_SYS_RAWIO.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2013-03-20 1:03 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 21:32 [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL Matthew Garrett
2013-03-18 21:32 ` [PATCH 02/12] SELinux: define mapping for CAP_COMPROMISE_KERNEL Matthew Garrett
2013-03-18 21:32 ` [PATCH 03/12] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode Matthew Garrett
2013-03-18 21:32 ` [PATCH 04/12] efi: Enable secure boot lockdown automatically when enabled in firmware Matthew Garrett
2013-03-18 21:32 ` [PATCH 05/12] PCI: Require CAP_COMPROMISE_KERNEL for PCI BAR access Matthew Garrett
2013-03-27 15:03 ` Josh Boyer
2013-03-27 15:08 ` Kyle McMartin
2013-03-28 12:46 ` Josh Boyer
2013-03-18 21:32 ` [PATCH 06/12] x86: Require CAP_COMPROMISE_KERNEL for IO port access Matthew Garrett
2013-03-20 1:00 ` H. Peter Anvin
2013-03-18 21:32 ` [PATCH 07/12] ACPI: Limit access to custom_method Matthew Garrett
2013-03-18 21:32 ` [PATCH 08/12] asus-wmi: Restrict debugfs interface Matthew Garrett
2013-03-18 21:32 ` [PATCH 09/12] Require CAP_COMPROMISE_KERNEL for /dev/mem and /dev/kmem access Matthew Garrett
2013-03-18 21:32 ` [PATCH 10/12] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment Matthew Garrett
2013-03-19 8:47 ` Dave Young
2013-03-19 11:19 ` Josh Boyer
2013-03-19 17:07 ` [PATCH v2] " Josh Boyer
2013-03-18 21:32 ` [PATCH 11/12] x86: Require CAP_COMPROMISE_KERNEL for MSR writing Matthew Garrett
2013-03-18 21:32 ` [PATCH 12/12] kexec: Require CAP_SYS_COMPROMISE_KERNEL Matthew Garrett
2013-03-19 4:47 ` [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL James Morris
2013-03-20 1:03 ` H. Peter Anvin
2013-03-20 16:41 ` Mimi Zohar
2013-03-20 16:49 ` Matthew Garrett
2013-03-20 18:01 ` Mimi Zohar
2013-03-20 18:12 ` Matthew Garrett
2013-03-20 19:16 ` Mimi Zohar
2013-03-20 20:37 ` Matthew Garrett
2013-03-20 21:11 ` Mimi Zohar
2013-03-20 21:18 ` Matthew Garrett
2013-03-21 13:43 ` Vivek Goyal
2013-03-21 15:37 ` Serge E. Hallyn
2013-03-21 15:52 ` Vivek Goyal
2013-03-21 15:58 ` Serge E. Hallyn
2013-03-21 16:04 ` Vivek Goyal
2013-03-21 16:19 ` Serge E. Hallyn
2013-03-21 17:15 ` Vivek Goyal
2013-03-21 1:58 ` James Morris
2013-03-19 7:18 ` Yves-Alexis Perez
2013-03-20 1:02 ` H. Peter Anvin [this message]
2013-03-20 1:05 ` H. Peter Anvin
2013-03-20 13:15 ` Matthew Garrett
2013-03-20 15:03 ` H. Peter Anvin
2013-03-20 15:14 ` Matthew Garrett
2013-03-20 16:45 ` H. Peter Anvin
-- strict thread matches above, loose matches on Subject: below --
2013-03-20 1:07 Matthew Garrett
2013-03-20 1:11 ` H. Peter Anvin
2013-03-20 1:09 Matthew Garrett
2013-03-20 1:28 Matthew Garrett
2013-03-20 2:48 ` H. Peter Anvin
2013-03-20 3:08 ` H. Peter Anvin
2013-03-20 3:18 ` Alex Williamson
2013-03-20 3:22 ` H. Peter Anvin
2013-03-20 3:27 ` Alex Williamson
2013-03-21 16:32 Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51490ABD.3050205@zytor.com \
--to=hpa@zytor.com \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox