From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Mon, 19 Aug 2019 17:17:41 -0700
Subject: lockdown: Restrict /dev/{mem,kmem,port} when the kernel is
 locked down
Patch-mainline: No, submitted https://lkml.org/lkml/2019/8/19/1195
References: fate#314486

Allowing users to read and write to core kernel memory makes it possible
for the kernel to be subverted, avoiding module loading restrictions, and
also to steal cryptographic information.

Disallow /dev/mem and /dev/kmem from being opened this when the kernel has
been locked down to prevent this.

Also disallow /dev/port from being opened to prevent raw ioport access and
thus DMA from being used to accomplish the same thing.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: x86@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Lee, Chun-Yi <jlee@suse.com>
Acked-by: Jean Delvare <jdelvare@suse.de>
---
 drivers/char/mem.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -842,6 +842,9 @@ static int open_port(struct inode *inode
 	if (!capable(CAP_SYS_RAWIO))
 		return -EPERM;
 
+	if (kernel_is_locked_down())
+		return -EPERM;
+
 	if (iminor(inode) != DEVMEM_MINOR)
 		return 0;