Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down

[PATCH V40 00/29] Add kernel lockdown functionality · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 01/29] security: Support early LSMs · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 02/29] security: Add a "locked down" LSM hook · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2019-08-30
Re: [PATCH V40 04/29] lockdown: Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-09-04
[PATCH V40 05/29] lockdown: Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 06/29] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 07/29] lockdown: Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Philipp Rudo <hidden> · 2019-08-30
[PATCH V40 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 10/29] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 10/29] hibernate: Disable when the kernel is locked down · Rafael J. Wysocki <hidden> · 2019-08-20
Re: [PATCH V40 10/29] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2019-08-25
[PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down · Kai-Heng Feng <hidden> · 2022-01-05
Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <mjg59@srcf.ucam.org> · 2022-01-05
Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down · Kai-Heng Feng <hidden> · 2022-01-05
Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <mjg59@srcf.ucam.org> · 2022-01-05
Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down · Kai-Heng Feng <hidden> · 2022-01-05
Re: [PATCH V40 12/29] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <mjg59@srcf.ucam.org> · 2022-01-05
[PATCH V40 11/29] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 11/29] PCI: Lock down BAR access when the kernel is locked down · Bjorn Helgaas <helgaas@kernel.org> · 2019-08-20
Re: [PATCH V40 11/29] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 13/29] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 16/29] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 16/29] acpi: Disable ACPI table override if the kernel is locked down · Rafael J. Wysocki <hidden> · 2019-08-20
[PATCH V40 17/29] lockdown: Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 18/29] lockdown: Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 19/29] lockdown: Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 19/29] lockdown: Lock down module params that specify hardware parameters (eg. ioport) · Jessica Yu <jeyu@kernel.org> · 2019-08-20
[PATCH V40 21/29] lockdown: Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 22/29] lockdown: Lock down tracing and perf kprobes when in confidentiality mode · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 24/29] lockdown: Lock down perf when in confidentiality mode · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 26/29] debugfs: Restrict debugfs when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 29/29] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 27/29] tracefs: Restrict tracefs when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · David Howells <dhowells@redhat.com> · 2019-08-30
[PATCH V40 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-08-20
[PATCH V40 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Rafael J. Wysocki <hidden> · 2019-08-20
[PATCH V40 14/29] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 14/29] ACPI: Limit access to custom_method when the kernel is locked down · Rafael J. Wysocki <hidden> · 2019-08-20
[PATCH V40 03/29] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-08-20
Re: [PATCH V40 03/29] security: Add a static lockdown policy LSM · David Howells <dhowells@redhat.com> · 2019-08-30
Re: [PATCH V40 03/29] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-09-04
Re: [PATCH V40 03/29] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-09-10
Re: [PATCH V40 00/29] Add kernel lockdown functionality · James Morris <jmorris@namei.org> · 2019-08-20

From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: 2022-01-05 06:56:22
Also in: linux-security-module, lkml

On Wed, Jan 05, 2022 at 02:25:41PM +0800, Kai-Heng Feng wrote:

This patch breaks ioperm() usage from userspace programs with CAP_SYS_RAWIO cap.

I wonder if it's possible to revert this commit?

When lockdown is enabled, or under all circumstances? It's expected to 
be blocked when lockdown is enabled - allowing userland to use port IO 
would potentially allow reconfiguration of PCI devices in ways that 
could alter kernel behaviour in ways relevant to security, which is what 
lockdown aims to prevent. What's being broken by this?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help