* [PATCH] Kconfig: Make config Filter access to /dev/mem default y @ 2010-04-13 2:52 wzt.wzt 2010-04-15 6:12 ` Xiaotian Feng 2010-04-15 18:03 ` Pavel Machek 0 siblings, 2 replies; 13+ messages in thread From: wzt.wzt @ 2010-04-13 2:52 UTC (permalink / raw) To: linux-kernel; +Cc: mingo, hpa, x86, zippel Recently, most company start use >=2.6.31 kernels to replace redhat kernels. But the config "Filter access to /dev/mem" is "default n", that allows kernel rootkit using /dev/mem again. it could access all kernel memory default. Most administrator don't known the "Filter access to /dev/mem" is "defult N", when he compiles the kernel, it's easily to be attacked by rootkit. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> --- arch/x86/Kconfig.debug | 3 ++- arch/x86/configs/i386_defconfig | 2 +- arch/x86/configs/x86_64_defconfig | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug index bc01e3e..733aea6 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" config STRICT_DEVMEM bool "Filter access to /dev/mem" + default y ---help--- If this option is disabled, you allow userspace (root) access to all of memory, including kernel and userspace memory. Accidental @@ -20,7 +21,7 @@ config STRICT_DEVMEM This is sufficient for dosemu and X and all common users of /dev/mem. - If in doubt, say Y. + If in doubt, say N. config X86_VERBOSE_BOOTUP bool "Enable verbose x86 bootup info messages" diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig index d28fad1..95c85a8 100644 --- a/arch/x86/configs/i386_defconfig +++ b/arch/x86/configs/i386_defconfig @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y # CONFIG_SAMPLES is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set -# CONFIG_STRICT_DEVMEM is not set +CONFIG_STRICT_DEVMEM=y CONFIG_X86_VERBOSE_BOOTUP=y CONFIG_EARLY_PRINTK=y CONFIG_EARLY_PRINTK_DBGP=y diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig index 6c86acd..659bfe7 100644 --- a/arch/x86/configs/x86_64_defconfig +++ b/arch/x86/configs/x86_64_defconfig @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y # CONFIG_SAMPLES is not set CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set -# CONFIG_STRICT_DEVMEM is not set +CONFIG_STRICT_DEVMEM=y CONFIG_X86_VERBOSE_BOOTUP=y CONFIG_EARLY_PRINTK=y CONFIG_EARLY_PRINTK_DBGP=y -- 1.6.5.3 ^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-13 2:52 [PATCH] Kconfig: Make config Filter access to /dev/mem default y wzt.wzt @ 2010-04-15 6:12 ` Xiaotian Feng 2010-04-15 6:17 ` wzt wzt 2010-04-15 6:36 ` Michal Svoboda 2010-04-15 18:03 ` Pavel Machek 1 sibling, 2 replies; 13+ messages in thread From: Xiaotian Feng @ 2010-04-15 6:12 UTC (permalink / raw) To: wzt.wzt; +Cc: linux-kernel, mingo, hpa, x86, zippel On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt@gmail.com> wrote: > Recently, most company start use >=2.6.31 kernels to replace redhat kernels. > But the config "Filter access to /dev/mem" is "default n", that allows kernel > rootkit using /dev/mem again. it could access all kernel memory default. Most > administrator don't known the "Filter access to /dev/mem" is "defult N", when > he compiles the kernel, it's easily to be attacked by rootkit. Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM is not set, the /dev/mem access is filtered in pat code. > > Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> > > --- > arch/x86/Kconfig.debug | 3 ++- > arch/x86/configs/i386_defconfig | 2 +- > arch/x86/configs/x86_64_defconfig | 2 +- > 3 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug > index bc01e3e..733aea6 100644 > --- a/arch/x86/Kconfig.debug > +++ b/arch/x86/Kconfig.debug > @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" > > config STRICT_DEVMEM > bool "Filter access to /dev/mem" > + default y > ---help--- > If this option is disabled, you allow userspace (root) access to all > of memory, including kernel and userspace memory. Accidental > @@ -20,7 +21,7 @@ config STRICT_DEVMEM > This is sufficient for dosemu and X and all common users of > /dev/mem. > > - If in doubt, say Y. > + If in doubt, say N. > > config X86_VERBOSE_BOOTUP > bool "Enable verbose x86 bootup info messages" > diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig > index d28fad1..95c85a8 100644 > --- a/arch/x86/configs/i386_defconfig > +++ b/arch/x86/configs/i386_defconfig > @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y > # CONFIG_SAMPLES is not set > CONFIG_HAVE_ARCH_KGDB=y > # CONFIG_KGDB is not set > -# CONFIG_STRICT_DEVMEM is not set > +CONFIG_STRICT_DEVMEM=y > CONFIG_X86_VERBOSE_BOOTUP=y > CONFIG_EARLY_PRINTK=y > CONFIG_EARLY_PRINTK_DBGP=y > diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig > index 6c86acd..659bfe7 100644 > --- a/arch/x86/configs/x86_64_defconfig > +++ b/arch/x86/configs/x86_64_defconfig > @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y > # CONFIG_SAMPLES is not set > CONFIG_HAVE_ARCH_KGDB=y > # CONFIG_KGDB is not set > -# CONFIG_STRICT_DEVMEM is not set > +CONFIG_STRICT_DEVMEM=y > CONFIG_X86_VERBOSE_BOOTUP=y > CONFIG_EARLY_PRINTK=y > CONFIG_EARLY_PRINTK_DBGP=y > -- > 1.6.5.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 6:12 ` Xiaotian Feng @ 2010-04-15 6:17 ` wzt wzt 2010-04-15 6:28 ` Xiaotian Feng 2010-04-15 7:12 ` Xiaotian Feng 2010-04-15 6:36 ` Michal Svoboda 1 sibling, 2 replies; 13+ messages in thread From: wzt wzt @ 2010-04-15 6:17 UTC (permalink / raw) To: Xiaotian Feng; +Cc: linux-kernel, mingo, hpa, x86, zippel On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng@gmail.com> wrote: > On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt@gmail.com> wrote: >> Recently, most company start use >=2.6.31 kernels to replace redhat kernels. >> But the config "Filter access to /dev/mem" is "default n", that allows kernel >> rootkit using /dev/mem again. it could access all kernel memory default. Most >> administrator don't known the "Filter access to /dev/mem" is "defult N", when >> he compiles the kernel, it's easily to be attacked by rootkit. > > Have you ever successfully attack by this way? [root@localhost zealot]# ./zealot [+] Found HISTSIZE. [SAFE] [+] Check md5 values. [SAFE] [+] eth0 was not set promsic. [SAFE] [+] Not found raw socket. [SAFE] system_call addr changed to 0xc04028a0,sys_call_table addr changed to 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system call sys_fork addr changed to 0xc0407bbb It's a host ids i wrote, it could search all kernel memory using /dev/mem. ok? some of the code here: static void *kmap(unsigned long off, unsigned long count) { int fd; void *p; fd = open(DEV_MEM, O_RDWR); if (fd < 3) { DbgPrint("open %s failed.\n", DEV_MEM); dup2(fd, 3); close(fd); fd = 3; } p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE, MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff); if (p == MAP_FAILED) { mem_support_flag = 1; fprintf(stdout, "[-] /dev/mem cannot be read or write.\n"); DbgPrint("mmap failture, errno %d\n", errno); close(fd); return NULL; } close(fd); return p; } >If CONFIG_STRICT_DEVMEM > is not set, the /dev/mem access is filtered in pat code. please point it, thanks. >> >> Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> >> >> --- >> arch/x86/Kconfig.debug | 3 ++- >> arch/x86/configs/i386_defconfig | 2 +- >> arch/x86/configs/x86_64_defconfig | 2 +- >> 3 files changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug >> index bc01e3e..733aea6 100644 >> --- a/arch/x86/Kconfig.debug >> +++ b/arch/x86/Kconfig.debug >> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" >> >> config STRICT_DEVMEM >> bool "Filter access to /dev/mem" >> + default y >> ---help--- >> If this option is disabled, you allow userspace (root) access to all >> of memory, including kernel and userspace memory. Accidental >> @@ -20,7 +21,7 @@ config STRICT_DEVMEM >> This is sufficient for dosemu and X and all common users of >> /dev/mem. >> >> - If in doubt, say Y. >> + If in doubt, say N. >> >> config X86_VERBOSE_BOOTUP >> bool "Enable verbose x86 bootup info messages" >> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig >> index d28fad1..95c85a8 100644 >> --- a/arch/x86/configs/i386_defconfig >> +++ b/arch/x86/configs/i386_defconfig >> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >> # CONFIG_SAMPLES is not set >> CONFIG_HAVE_ARCH_KGDB=y >> # CONFIG_KGDB is not set >> -# CONFIG_STRICT_DEVMEM is not set >> +CONFIG_STRICT_DEVMEM=y >> CONFIG_X86_VERBOSE_BOOTUP=y >> CONFIG_EARLY_PRINTK=y >> CONFIG_EARLY_PRINTK_DBGP=y >> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig >> index 6c86acd..659bfe7 100644 >> --- a/arch/x86/configs/x86_64_defconfig >> +++ b/arch/x86/configs/x86_64_defconfig >> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >> # CONFIG_SAMPLES is not set >> CONFIG_HAVE_ARCH_KGDB=y >> # CONFIG_KGDB is not set >> -# CONFIG_STRICT_DEVMEM is not set >> +CONFIG_STRICT_DEVMEM=y >> CONFIG_X86_VERBOSE_BOOTUP=y >> CONFIG_EARLY_PRINTK=y >> CONFIG_EARLY_PRINTK_DBGP=y >> -- >> 1.6.5.3 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ >> > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 6:17 ` wzt wzt @ 2010-04-15 6:28 ` Xiaotian Feng 2010-04-15 6:39 ` wzt wzt 2010-04-15 7:12 ` Xiaotian Feng 1 sibling, 1 reply; 13+ messages in thread From: Xiaotian Feng @ 2010-04-15 6:28 UTC (permalink / raw) To: wzt wzt; +Cc: linux-kernel, mingo, hpa, x86, zippel On Thu, Apr 15, 2010 at 2:17 PM, wzt wzt <wzt.wzt@gmail.com> wrote: > On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng@gmail.com> wrote: >> On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt@gmail.com> wrote: >>> Recently, most company start use >=2.6.31 kernels to replace redhat kernels. >>> But the config "Filter access to /dev/mem" is "default n", that allows kernel >>> rootkit using /dev/mem again. it could access all kernel memory default. Most >>> administrator don't known the "Filter access to /dev/mem" is "defult N", when >>> he compiles the kernel, it's easily to be attacked by rootkit. >> >> Have you ever successfully attack by this way? > > [root@localhost zealot]# ./zealot so you're running rootkit as a root user? > [+] Found HISTSIZE. [SAFE] > [+] Check md5 values. [SAFE] > [+] eth0 was not set promsic. [SAFE] > [+] Not found raw socket. [SAFE] > system_call addr changed to 0xc04028a0,sys_call_table addr changed to > 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to > 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system > call sys_fork addr changed to 0xc0407bbb > > It's a host ids i wrote, it could search all kernel memory using /dev/mem. ok? > > some of the code here: > static void *kmap(unsigned long off, unsigned long count) > { > int fd; > void *p; > > fd = open(DEV_MEM, O_RDWR); > if (fd < 3) { > DbgPrint("open %s failed.\n", DEV_MEM); > dup2(fd, 3); > close(fd); > fd = 3; > } > > p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE, > MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff); > if (p == MAP_FAILED) > { > mem_support_flag = 1; > fprintf(stdout, "[-] /dev/mem cannot be read or write.\n"); > > DbgPrint("mmap failture, errno %d\n", errno); > close(fd); > return NULL; > } > > close(fd); > return p; > } > >>If CONFIG_STRICT_DEVMEM >> is not set, the /dev/mem access is filtered in pat code. > please point it, thanks. > Years ago, someone sent the same patch. check http://lkml.org/lkml/2008/11/7/361 >>> >>> Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> >>> >>> --- >>> arch/x86/Kconfig.debug | 3 ++- >>> arch/x86/configs/i386_defconfig | 2 +- >>> arch/x86/configs/x86_64_defconfig | 2 +- >>> 3 files changed, 4 insertions(+), 3 deletions(-) >>> >>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug >>> index bc01e3e..733aea6 100644 >>> --- a/arch/x86/Kconfig.debug >>> +++ b/arch/x86/Kconfig.debug >>> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" >>> >>> config STRICT_DEVMEM >>> bool "Filter access to /dev/mem" >>> + default y >>> ---help--- >>> If this option is disabled, you allow userspace (root) access to all >>> of memory, including kernel and userspace memory. Accidental >>> @@ -20,7 +21,7 @@ config STRICT_DEVMEM >>> This is sufficient for dosemu and X and all common users of >>> /dev/mem. >>> >>> - If in doubt, say Y. >>> + If in doubt, say N. >>> >>> config X86_VERBOSE_BOOTUP >>> bool "Enable verbose x86 bootup info messages" >>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig >>> index d28fad1..95c85a8 100644 >>> --- a/arch/x86/configs/i386_defconfig >>> +++ b/arch/x86/configs/i386_defconfig >>> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig >>> index 6c86acd..659bfe7 100644 >>> --- a/arch/x86/configs/x86_64_defconfig >>> +++ b/arch/x86/configs/x86_64_defconfig >>> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> -- >>> 1.6.5.3 >>> >>> -- >>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> Please read the FAQ at http://www.tux.org/lkml/ >>> >> > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 6:28 ` Xiaotian Feng @ 2010-04-15 6:39 ` wzt wzt 0 siblings, 0 replies; 13+ messages in thread From: wzt wzt @ 2010-04-15 6:39 UTC (permalink / raw) To: Xiaotian Feng; +Cc: linux-kernel, mingo, hpa, x86, zippel > so you're running rootkit as a root user? > rootkit always run as a root user. >Years ago, someone sent the same patch. >check http://lkml.org/lkml/2008/11/7/361 thanks, i read it. But nowadays >= 2.6.26 kernel became more popular, more people start use it. When they compile the kernel, they don't change KERNEL_HACKING option, becasue they are not kernel prgramer. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 6:17 ` wzt wzt 2010-04-15 6:28 ` Xiaotian Feng @ 2010-04-15 7:12 ` Xiaotian Feng 2010-04-15 7:37 ` wzt wzt 1 sibling, 1 reply; 13+ messages in thread From: Xiaotian Feng @ 2010-04-15 7:12 UTC (permalink / raw) To: wzt wzt; +Cc: linux-kernel, mingo, hpa, x86, zippel On Thu, Apr 15, 2010 at 2:17 PM, wzt wzt <wzt.wzt@gmail.com> wrote: > On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng@gmail.com> wrote: >> On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt@gmail.com> wrote: >>> Recently, most company start use >=2.6.31 kernels to replace redhat kernels. >>> But the config "Filter access to /dev/mem" is "default n", that allows kernel >>> rootkit using /dev/mem again. it could access all kernel memory default. Most >>> administrator don't known the "Filter access to /dev/mem" is "defult N", when >>> he compiles the kernel, it's easily to be attacked by rootkit. >> >> Have you ever successfully attack by this way? I'm curious about the result if you open this option to yes. > > [root@localhost zealot]# ./zealot > [+] Found HISTSIZE. [SAFE] > [+] Check md5 values. [SAFE] > [+] eth0 was not set promsic. [SAFE] > [+] Not found raw socket. [SAFE] > system_call addr changed to 0xc04028a0,sys_call_table addr changed to > 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to > 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system > call sys_fork addr changed to 0xc0407bbb > > It's a host ids i wrote, it could search all kernel memory using /dev/mem. ok? > > some of the code here: > static void *kmap(unsigned long off, unsigned long count) > { > int fd; > void *p; > > fd = open(DEV_MEM, O_RDWR); > if (fd < 3) { > DbgPrint("open %s failed.\n", DEV_MEM); > dup2(fd, 3); > close(fd); > fd = 3; > } > > p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE, > MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff); mmap_mem in drivers/char/mem.c if (!range_is_allowed(vma->vm_pgoff, size)) return -EPERM; if (!phys_mem_access_prot_allowed(file, vma->vm_pgoff, size, &vma->vm_page_prot)) return -EINVAL; If kernel is not set CONFIG_STRICT_DEVMEM, range_is_allowed will return 1 always, and phys_mem_access_prot_allowed is defined as weak. In arch/x86/mm/pat.c, phys_mem_access_prot_allowed is defined, and range_is_allowed is declared to check the mem access w/o CONFIG_STRICT_DEVMEM, so it looks like the same as kernel w/ CONFIG_STRICT_DEVMEM. What's the result for kernel w/ CONFIG_STRICT_DEVMEM ? does it prevent your rootkit? > if (p == MAP_FAILED) > { > mem_support_flag = 1; > fprintf(stdout, "[-] /dev/mem cannot be read or write.\n"); > > DbgPrint("mmap failture, errno %d\n", errno); > close(fd); > return NULL; > } > > close(fd); > return p; > } > >>If CONFIG_STRICT_DEVMEM >> is not set, the /dev/mem access is filtered in pat code. > please point it, thanks. > >>> >>> Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> >>> >>> --- >>> arch/x86/Kconfig.debug | 3 ++- >>> arch/x86/configs/i386_defconfig | 2 +- >>> arch/x86/configs/x86_64_defconfig | 2 +- >>> 3 files changed, 4 insertions(+), 3 deletions(-) >>> >>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug >>> index bc01e3e..733aea6 100644 >>> --- a/arch/x86/Kconfig.debug >>> +++ b/arch/x86/Kconfig.debug >>> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" >>> >>> config STRICT_DEVMEM >>> bool "Filter access to /dev/mem" >>> + default y >>> ---help--- >>> If this option is disabled, you allow userspace (root) access to all >>> of memory, including kernel and userspace memory. Accidental >>> @@ -20,7 +21,7 @@ config STRICT_DEVMEM >>> This is sufficient for dosemu and X and all common users of >>> /dev/mem. >>> >>> - If in doubt, say Y. >>> + If in doubt, say N. >>> >>> config X86_VERBOSE_BOOTUP >>> bool "Enable verbose x86 bootup info messages" >>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig >>> index d28fad1..95c85a8 100644 >>> --- a/arch/x86/configs/i386_defconfig >>> +++ b/arch/x86/configs/i386_defconfig >>> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig >>> index 6c86acd..659bfe7 100644 >>> --- a/arch/x86/configs/x86_64_defconfig >>> +++ b/arch/x86/configs/x86_64_defconfig >>> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> -- >>> 1.6.5.3 >>> >>> -- >>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> Please read the FAQ at http://www.tux.org/lkml/ >>> >> > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 7:12 ` Xiaotian Feng @ 2010-04-15 7:37 ` wzt wzt 0 siblings, 0 replies; 13+ messages in thread From: wzt wzt @ 2010-04-15 7:37 UTC (permalink / raw) To: Xiaotian Feng; +Cc: linux-kernel, mingo, hpa, x86, zippel > I'm curious about the result if you open this option to yes. here is the result you want see: Program zealot tried to access /dev/mem between 407000->409000. my ids can't work around. > What's the result for kernel w/ CONFIG_STRICT_DEVMEM ? does it prevent > your rootkit? my program is not a rootkit, if you want to see some backdoors, please read the Mood-nt2.3 or suckit source code, have fun. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 6:12 ` Xiaotian Feng 2010-04-15 6:17 ` wzt wzt @ 2010-04-15 6:36 ` Michal Svoboda 2010-04-15 10:43 ` Jiri Kosina 2010-04-15 11:00 ` Alan Cox 1 sibling, 2 replies; 13+ messages in thread From: Michal Svoboda @ 2010-04-15 6:36 UTC (permalink / raw) To: linux-kernel [-- Attachment #1: Type: text/plain, Size: 217 bytes --] Xiaotian Feng wrote: > Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM > is not set, the /dev/mem access is filtered in pat code. If that option doesn't add any protection, what's it good for? [-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 6:36 ` Michal Svoboda @ 2010-04-15 10:43 ` Jiri Kosina 2010-04-15 13:41 ` Michal Svoboda 2010-04-15 11:00 ` Alan Cox 1 sibling, 1 reply; 13+ messages in thread From: Jiri Kosina @ 2010-04-15 10:43 UTC (permalink / raw) To: Michal Svoboda; +Cc: linux-kernel On Thu, 15 Apr 2010, Michal Svoboda wrote: > > Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM > > is not set, the /dev/mem access is filtered in pat code. > > If that option doesn't add any protection, what's it good for? Access to /dev/mem being filtered in PAT obviously applies only to x86. Architectures which don't do such filtering in their respective phys_mem_access_prot_allowed() still need this option. -- Jiri Kosina SUSE Labs, Novell Inc. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 10:43 ` Jiri Kosina @ 2010-04-15 13:41 ` Michal Svoboda 2010-04-15 13:59 ` Alan Cox 0 siblings, 1 reply; 13+ messages in thread From: Michal Svoboda @ 2010-04-15 13:41 UTC (permalink / raw) To: linux-kernel [-- Attachment #1: Type: text/plain, Size: 334 bytes --] Jiri Kosina wrote: > Access to /dev/mem being filtered in PAT obviously applies only to x86. > > Architectures which don't do such filtering in their respective > phys_mem_access_prot_allowed() still need this option. So why not use it for all archs uniformly? Is PAT filtering better in some ways? Michal Svoboda [-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 13:41 ` Michal Svoboda @ 2010-04-15 13:59 ` Alan Cox 0 siblings, 0 replies; 13+ messages in thread From: Alan Cox @ 2010-04-15 13:59 UTC (permalink / raw) To: Michal Svoboda; +Cc: linux-kernel On Thu, 15 Apr 2010 15:41:53 +0200 Michal Svoboda <michal.svoboda@agents.felk.cvut.cz> wrote: > Jiri Kosina wrote: > > Access to /dev/mem being filtered in PAT obviously applies only to x86. > > > > Architectures which don't do such filtering in their respective > > phys_mem_access_prot_allowed() still need this option. > > So why not use it for all archs uniformly? Is PAT filtering better in > some ways? PAT is an x86 specific hardware feature. The x86 processors can set per page caching properties as with some other CPU designs. In the x86 case all references to the page must have the same cache settings so the PAT implementation has to filter /dev/mem access to avoid machine check errors. It's not implemented as a security feature, its a side effect of the hardware requirements on that CPU range. Alan ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-15 6:36 ` Michal Svoboda 2010-04-15 10:43 ` Jiri Kosina @ 2010-04-15 11:00 ` Alan Cox 1 sibling, 0 replies; 13+ messages in thread From: Alan Cox @ 2010-04-15 11:00 UTC (permalink / raw) To: Michal Svoboda; +Cc: linux-kernel On Thu, 15 Apr 2010 08:36:26 +0200 Michal Svoboda <michal.svoboda@agents.felk.cvut.cz> wrote: > Xiaotian Feng wrote: > > Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM > > is not set, the /dev/mem access is filtered in pat code. > > If that option doesn't add any protection, what's it good for? PAT is x86 specific ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y 2010-04-13 2:52 [PATCH] Kconfig: Make config Filter access to /dev/mem default y wzt.wzt 2010-04-15 6:12 ` Xiaotian Feng @ 2010-04-15 18:03 ` Pavel Machek 1 sibling, 0 replies; 13+ messages in thread From: Pavel Machek @ 2010-04-15 18:03 UTC (permalink / raw) To: wzt.wzt; +Cc: linux-kernel, mingo, hpa, x86, zippel > config STRICT_DEVMEM > bool "Filter access to /dev/mem" > + default y > ---help--- > If this option is disabled, you allow userspace (root) access to all > of memory, including kernel and userspace memory. Accidental > @@ -20,7 +21,7 @@ config STRICT_DEVMEM > This is sufficient for dosemu and X and all common users of > /dev/mem. > > - If in doubt, say Y. > + If in doubt, say N. > Eek. So... what is it? -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2010-04-15 18:04 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-04-13 2:52 [PATCH] Kconfig: Make config Filter access to /dev/mem default y wzt.wzt 2010-04-15 6:12 ` Xiaotian Feng 2010-04-15 6:17 ` wzt wzt 2010-04-15 6:28 ` Xiaotian Feng 2010-04-15 6:39 ` wzt wzt 2010-04-15 7:12 ` Xiaotian Feng 2010-04-15 7:37 ` wzt wzt 2010-04-15 6:36 ` Michal Svoboda 2010-04-15 10:43 ` Jiri Kosina 2010-04-15 13:41 ` Michal Svoboda 2010-04-15 13:59 ` Alan Cox 2010-04-15 11:00 ` Alan Cox 2010-04-15 18:03 ` Pavel Machek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox