Re: [PATCH] x86: introduce /dev/mem restrictions with a config option

---

• From: devzero@xxxxxx
• Date: Thu, 31 Jan 2008 15:04:28 +0100

---

nice !

did you think about some boot-time param , e.g. "insecure-devmem" or something like that?

recompiling kernel is time consuming.....






From: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>
Subject: [PATCH] x86: introduce /dev/mem restrictions with a config option

This patch introduces a restriction on /dev/mem: Only non-memory can be
read or written unless the newly introduced config option is set.

The X server needs access to /dev/mem for the PCI space, but it doesn't need
access to memory; both the file permissions and SELinux permissions of /dev/mem
just make X effectively super-super powerful. With the exception of the
BIOS area, there's just no valid app that uses /dev/mem on actual memory.
Other popular users of /dev/mem are rootkits and the like.
(note: mmap access of memory via /dev/mem was already not allowed since
a really long time)

People who want to use /dev/mem for kernel debugging can enable the config
option.

The restrictions of this patch have been in the Fedora and RHEL kernels for
at least 4 years without any problems.

Signed-off-by: Arjan van de Ven <arjan@xxxxxxxxxxxxxxx>
_______________________________________________________________________
Jetzt neu! Schützen Sie Ihren PC mit McAfee und WEB.DE. 30 Tage
kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH] x86: introduce /dev/mem restrictions with a config option
    • From: Arjan van de Ven

• Prev by Date: Re: 2.6.24-rc8-mm1 Kernel BUG while bootup
• Next by Date: Re: [RFC v2 2/5] dmaengine: Add slave DMA interface
• Previous by thread: [RFC][PATCH v2 0/7] Scaling msgmni to the amount of lowmem
• Next by thread: Re: [PATCH] x86: introduce /dev/mem restrictions with a config option
• Index(es):
  • Date
  • Thread

---

Relevant Pages =?iso-8859-15?Q?Re:_[RFC]_BadRAM_still_not_ready_for_inclusion_=3F_(wa?= =?iso-8859- ... maybe this patch is just something very special, having many pro's but also con's - so this also could be one reason why it exists for so long outside mainline. ... BadRAM let's you tell the kernel to skip certain regions of ram, ... forever, once it becomes a supported feature, for the benefit of the few ... people who can't or won't replace bad memory. ... (Linux-Kernel) Re: Wheres the bzip2 compressed linux-kernel patch? ... On Monday 20 October 2003 03:31, Jörn Engel wrote: ... >> uses less memory. ... The kernel patch is on hold pending delivery of Manuel's updated ... (Linux-Kernel) Re: [PATCH] Re: More than 2Gb problem (dvb related) ? ... Andi Kleen included a patch to ensure vmalloc_32returns memory <4Gb ... With this patch applied the current driver appears to work OK. ... If the current kernel and/or modules do not match the log, ... (Linux-Kernel) Re: [RFC BUG?] dereference PAGE_OFFSET address (rc7-mm2) ... I didn't check whether the patch actually permits us to read kernel ... There are pagetables prior to this setup covering the ... unreadable kernel memory. ... (Linux-Kernel) Re: [PATCH] Re: More than 2Gb problem (dvb related) ? ... Andi Kleen included a patch to ensure vmalloc_32returns memory <4Gb ... With this patch applied the current driver appears to work OK. ... If the current kernel and/or modules do not match the log, ... (Linux-Kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > Kernel  > 2008-01