[ubuntu-hardened] /dev/mem restrictions kernel patch
Tim Gardner
tim.gardner at canonical.com
Thu Jan 31 14:16:36 GMT 2008
Jeff Schroeder wrote:
> Sorry for the crosspost, but I'm not sure how many of the kernel team
> are on the hardened list.
>
> Arjan van de Ven just posted a kernel patch for /dev/mem security that
> looks interesting. It doesn't appear to be applied to ubuntu-hardy.git
> or ubuntu-hardy-kees.git so I'm mentioning it now.
>
> Since ubuntu appears to be taking a more proactive security approach,
> are there any thoughts about merging this into the Hardy kernel? It is
> a small patch that looks like a big win.
>
> Shamelessly ripped description from http://lkml.org/lkml/2008/1/30/473 :
> --------------------------------------
> This patch introduces a restriction on /dev/mem: Only non-memory can be
> read or written unless the newly introduced config option is set.
>
> The X server needs access to /dev/mem for the PCI space, but it doesn't need
> access to memory; both the file permissions and SELinux permissions of /dev/mem
> just make X effectively super-super powerful. With the exception of the
> BIOS area, there's just no valid app that uses /dev/mem on actual memory.
> Other popular users of /dev/mem are rootkits and the like.
> (note: mmap access of memory via /dev/mem was already not allowed since
> a really long time)
>
> People who want to use /dev/mem for kernel debugging can enable the config
> option.
>
> The restrictions of this patch have been in the Fedora and RHEL kernels for
> at least 4 years without any problems.
> --------------------------------------
>
+1 from me, but it doesn't apply cleanly to current Hardy. I'm gonna let
Kees handle integration and testing.
rtg
--
Tim Gardner tim.gardner at ubuntu.com
More information about the ubuntu-hardened
mailing list