Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f474e148 authored by Matthew Garrett's avatar Matthew Garrett Committed by James Morris
Browse files

ACPI: Limit access to custom_method when the kernel is locked down 



custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.

Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
cc: linux-acpi@vger.kernel.org
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 95f5e95f

drivers/acpi/custom_method.c

+6 −0
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ 
#include <linux/uaccess.h>

#include <linux/debugfs.h>

#include <linux/acpi.h>

#include <linux/security.h>



#include "internal.h"
@@ -29,6 +30,11 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, 


	struct acpi_table_header table;

	acpi_status status;

	int ret;



	ret = security_locked_down(LOCKDOWN_ACPI_TABLES);

	if (ret)

		return ret;



	if (!(*ppos)) {

		/* parse the table header to get the table length */

include/linux/security.h

+1 −0
Original line number Diff line number Diff line
@@ -110,6 +110,7 @@ enum lockdown_reason { 
	LOCKDOWN_PCI_ACCESS,

	LOCKDOWN_IOPORT,

	LOCKDOWN_MSR,

	LOCKDOWN_ACPI_TABLES,

	LOCKDOWN_INTEGRITY_MAX,

	LOCKDOWN_CONFIDENTIALITY_MAX,

};

security/lockdown/lockdown.c

+1 −0
Original line number Diff line number Diff line
@@ -25,6 +25,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { 
	[LOCKDOWN_PCI_ACCESS] = "direct PCI access",

	[LOCKDOWN_IOPORT] = "raw io port access",

	[LOCKDOWN_MSR] = "raw MSR access",

	[LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",

	[LOCKDOWN_INTEGRITY_MAX] = "integrity",

	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",

};