From: Matthew Garrett <mjg59@xxxxxxxxxxxxx> custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if the kernel is locked down. Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> cc: linux-acpi@xxxxxxxxxxxxxxx --- drivers/acpi/custom_method.c | 4 ++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 6 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c index aa972dc5cb7e..5c684b09a2d1 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -8,6 +8,7 @@ #include <linux/uaccess.h> #include <linux/debugfs.h> #include <linux/acpi.h> +#include <linux/security.h> #include "internal.h" @@ -29,6 +30,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, struct acpi_table_header table; acpi_status status; + if (security_is_locked_down(LOCKDOWN_ACPI_TABLES)) + return -EPERM; + if (!(*ppos)) { /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) diff --git a/include/linux/security.h b/include/linux/security.h index 81c0968e485f..88d0f5d0cd87 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -89,6 +89,7 @@ enum lockdown_reason { LOCKDOWN_PCI_ACCESS, LOCKDOWN_IOPORT, LOCKDOWN_MSR, + LOCKDOWN_ACPI_TABLES, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index a01301972290..bfc0e088aa85 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -25,6 +25,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_MSR] = "raw MSR access", + [LOCKDOWN_ACPI_TABLES] = "modified ACPI tables", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog