[PATCH 3/3] Remove CONFIG_STRICT_DEVMEM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Since the behaviour of /dev/mem can now be controlled via sysctl, we don't need
CONFIG_STRICT_DEVMEM any more. With SELinux or Apparmor, the sysctl can be
prohibited to be turned on. Without SELinux or Apparmor, you can circumvent
the restriction anyways by loading a kernel module that installs a kretprobe
that just ignores the check and always returns true.

The increase of code size is neglecatble and the code becomes more readable
with less CONFIG options and #ifdef's.


Signed-off-by: Bernhard Walle <bwalle@xxxxxxx>
---
 arch/x86/Kconfig.debug            |   17 -----------------
 arch/x86/configs/i386_defconfig   |    1 -
 arch/x86/configs/x86_64_defconfig |    1 -
 arch/x86/include/asm/page.h       |    4 ----
 drivers/char/mem.c                |    7 +------
 5 files changed, 1 insertions(+), 29 deletions(-)

diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 2a3dfbd..28b7c26 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -5,23 +5,6 @@ config TRACE_IRQFLAGS_SUPPORT
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	help
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel. Note that with PAT support
-	  enabled, even in this case there are restrictions on /dev/mem
-	  use due to the cache aliasing requirements.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to PCI space and the BIOS code and data regions.
-	  This is sufficient for dosemu and X and all common users of
-	  /dev/mem.
-
-	  If in doubt, say Y.
-
 config X86_VERBOSE_BOOTUP
 	bool "Enable verbose x86 bootup info messages"
 	default y
diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
index 13b8c86..93e8696 100644
--- a/arch/x86/configs/i386_defconfig
+++ b/arch/x86/configs/i386_defconfig
@@ -2090,7 +2090,6 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
 # CONFIG_SAMPLES is not set
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
-# CONFIG_STRICT_DEVMEM is not set
 CONFIG_X86_VERBOSE_BOOTUP=y
 CONFIG_EARLY_PRINTK=y
 CONFIG_DEBUG_STACKOVERFLOW=y
diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
index f0a03d7..8b162ea 100644
--- a/arch/x86/configs/x86_64_defconfig
+++ b/arch/x86/configs/x86_64_defconfig
@@ -2059,7 +2059,6 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
 # CONFIG_SAMPLES is not set
 CONFIG_HAVE_ARCH_KGDB=y
 # CONFIG_KGDB is not set
-# CONFIG_STRICT_DEVMEM is not set
 CONFIG_X86_VERBOSE_BOOTUP=y
 CONFIG_EARLY_PRINTK=y
 CONFIG_DEBUG_STACKOVERFLOW=y
diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h
index e5fe778..90dfcf2 100644
--- a/arch/x86/include/asm/page.h
+++ b/arch/x86/include/asm/page.h
@@ -66,11 +66,7 @@ extern void unmap_devmem(unsigned long pfn, unsigned long size,
 #define __HAVE_ARCH_RANGE_IS_ALLOWED 1
 
 
-#ifdef CONFIG_STRICT_DEVMEM
 extern int devmem_restricted;
-#else
-#define devmem_restricted 0
-#endif
 
 extern unsigned long max_low_pfn_mapped;
 extern unsigned long max_pfn_mapped;
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 43b70b8..b4bbf80 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -37,8 +37,6 @@
 #endif
 
 
-#ifdef CONFIG_STRICT_DEVMEM
-
 int devmem_restricted = 1;
 
 #ifdef CONFIG_SYSCTL
@@ -74,9 +72,6 @@ struct ctl_table dev_sysctl_table[] = {
 
 #endif
 
-#endif /* CONFIG_STRICT_DEVMEM */
-
-
 /*
  * Architectures vary in how they handle caching for addresses
  * outside of main memory.
@@ -1034,7 +1029,7 @@ static int __init chr_dev_init(void)
 			      MKDEV(MEM_MAJOR, devlist[i].minor), NULL,
 			      devlist[i].name);
 
-#if defined(CONFIG_SYSCTL) && defined(CONFIG_STRICT_DEVMEM)
+#if defined(CONFIG_SYSCTL)
 	/*
 	 * since there is no unload function, we don't have to deregister that
 	 * the whole lifetime of the kernel and can ignore the return value
-- 
1.6.0.4

--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/crash-utility

[Index of Archives]     [Fedora Development]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]

 

Powered by Linux