[ubuntu-hardened] /dev/mem restrictions kernel patch

[Kees Cook]

On Thu, Jan 31, 2008 at 07:16:36AM -0700, Tim Gardner wrote:
> Jeff Schroeder wrote:
> > Sorry for the crosspost, but I'm not sure how many of the kernel team
> > are on the hardened list.
> > 
> > Arjan van de Ven just posted a kernel patch for /dev/mem security that
> > looks interesting. It doesn't appear to be applied to ubuntu-hardy.git
> > or ubuntu-hardy-kees.git so I'm mentioning it now.
> > 
> > Since ubuntu appears to be taking a more proactive security approach,
> > are there any thoughts about merging this into the Hardy kernel? It is
> > a small patch that looks like a big win.
> > 
> > Shamelessly ripped description from http://lkml.org/lkml/2008/1/30/473 :
> > --------------------------------------
> > This patch introduces a restriction on /dev/mem: Only non-memory can be
> > read or written unless the newly introduced config option is set.
> > 
> > The X server needs access to /dev/mem for the PCI space, but it doesn't need
> > access to memory; both the file permissions and SELinux permissions of /dev/mem
> > just make X effectively super-super powerful. With the exception of the
> > BIOS area, there's just no valid app that uses /dev/mem on actual memory.
> > Other popular users of /dev/mem are rootkits and the like.
> > (note: mmap access of memory via /dev/mem was already not allowed since
> > a really long time)
> > 
> > People who want to use /dev/mem for kernel debugging can enable the config
> > option.
> > 
> > The restrictions of this patch have been in the Fedora and RHEL kernels for
> > at least 4 years without any problems.
> > --------------------------------------
> > 
> 
> +1 from me, but it doesn't apply cleanly to current Hardy. I'm gonna let
> Kees handle integration and testing.

I've backported this to Hardy now.  Builds and runs fine AFAICT:

https://lists.ubuntu.com/archives/kernel-team/2008-February/002098.html

-Kees

-- 
Kees Cook
Ubuntu Security Team