55 lines
2.0 KiB
Diff
55 lines
2.0 KiB
Diff
|
From b9f93c7550b62939f250fad55b111637b0f66bc8 Mon Sep 17 00:00:00 2001
|
||
|
From: Alan Cox <alan@linux.intel.com>
|
||
|
Date: Thu, 15 Nov 2012 13:06:22 +0000
|
||
|
Subject: [PATCH] x86/msr: Add capabilities check
|
||
|
|
||
|
commit c903f0456bc69176912dee6dd25c6a66ee1aed00 upstream.
|
||
|
|
||
|
At the moment the MSR driver only relies upon file system
|
||
|
checks. This means that anything as root with any capability set
|
||
|
can write to MSRs. Historically that wasn't very interesting but
|
||
|
on modern processors the MSRs are such that writing to them
|
||
|
provides several ways to execute arbitary code in kernel space.
|
||
|
Sample code and documentation on doing this is circulating and
|
||
|
MSR attacks are used on Windows 64bit rootkits already.
|
||
|
|
||
|
In the Linux case you still need to be able to open the device
|
||
|
file so the impact is fairly limited and reduces the security of
|
||
|
some capability and security model based systems down towards
|
||
|
that of a generic "root owns the box" setup.
|
||
|
|
||
|
Therefore they should require CAP_SYS_RAWIO to prevent an
|
||
|
elevation of capabilities. The impact of this is fairly minimal
|
||
|
on most setups because they don't have heavy use of
|
||
|
capabilities. Those using SELinux, SMACK or AppArmor rules might
|
||
|
want to consider if their rulesets on the MSR driver could be
|
||
|
tighter.
|
||
|
|
||
|
Signed-off-by: Alan Cox <alan@linux.intel.com>
|
||
|
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||
|
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||
|
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
||
|
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
---
|
||
|
arch/x86/kernel/msr.c | 3 +++
|
||
|
1 file changed, 3 insertions(+)
|
||
|
|
||
|
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
|
||
|
index a7c5661..4929502 100644
|
||
|
--- a/arch/x86/kernel/msr.c
|
||
|
+++ b/arch/x86/kernel/msr.c
|
||
|
@@ -174,6 +174,9 @@ static int msr_open(struct inode *inode, struct file *file)
|
||
|
unsigned int cpu;
|
||
|
struct cpuinfo_x86 *c;
|
||
|
|
||
|
+ if (!capable(CAP_SYS_RAWIO))
|
||
|
+ return -EPERM;
|
||
|
+
|
||
|
cpu = iminor(file->f_path.dentry->d_inode);
|
||
|
if (cpu >= nr_cpu_ids || !cpu_online(cpu))
|
||
|
return -ENXIO; /* No such CPU */
|
||
|
--
|
||
|
1.8.1
|
||
|
|