[ubuntu-hardened] /dev/mem restrictions kernel patch

Jeff Schroeder jeffschroed at gmail.com
Thu Jan 31 02:39:23 GMT 2008

Sorry for the crosspost, but I'm not sure how many of the kernel team
are on the hardened list.

Arjan van de Ven just posted a kernel patch for /dev/mem security that
looks interesting. It doesn't appear to be applied to ubuntu-hardy.git
or ubuntu-hardy-kees.git so I'm mentioning it now.

Since ubuntu appears to be taking a more proactive security approach,
are there any thoughts about merging this into the Hardy kernel? It is
a small patch that looks like a big win.

Shamelessly ripped description from http://lkml.org/lkml/2008/1/30/473 :
This patch introduces a restriction on /dev/mem: Only non-memory can be
read or written unless the newly introduced config option is set.

The X server needs access to /dev/mem for the PCI space, but it doesn't need
access to memory; both the file permissions and SELinux permissions of /dev/mem
just make X effectively super-super powerful. With the exception of the
BIOS area, there's just no valid app that uses /dev/mem on actual memory.
Other popular users of /dev/mem are rootkits and the like.
(note: mmap access of memory via /dev/mem was already not allowed since
a really long time)

People who want to use /dev/mem for kernel debugging can enable the config

The restrictions of this patch have been in the Fedora and RHEL kernels for
at least 4 years without any problems.

Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.

More information about the ubuntu-hardened mailing list