| From a3494ee8fa20560e9407ad391a577d4898841ef1 Mon Sep 17 00:00:00 2001 |
| From: Alan Cox <alan@linux.intel.com> |
| Date: Thu, 15 Nov 2012 13:06:22 +0000 |
| Subject: [PATCH] x86/msr: Add capabilities check |
| |
| commit c903f0456bc69176912dee6dd25c6a66ee1aed00 upstream. |
| |
| At the moment the MSR driver only relies upon file system |
| checks. This means that anything as root with any capability set |
| can write to MSRs. Historically that wasn't very interesting but |
| on modern processors the MSRs are such that writing to them |
| provides several ways to execute arbitary code in kernel space. |
| Sample code and documentation on doing this is circulating and |
| MSR attacks are used on Windows 64bit rootkits already. |
| |
| In the Linux case you still need to be able to open the device |
| file so the impact is fairly limited and reduces the security of |
| some capability and security model based systems down towards |
| that of a generic "root owns the box" setup. |
| |
| Therefore they should require CAP_SYS_RAWIO to prevent an |
| elevation of capabilities. The impact of this is fairly minimal |
| on most setups because they don't have heavy use of |
| capabilities. Those using SELinux, SMACK or AppArmor rules might |
| want to consider if their rulesets on the MSR driver could be |
| tighter. |
| |
| Signed-off-by: Alan Cox <alan@linux.intel.com> |
| Cc: Linus Torvalds <torvalds@linux-foundation.org> |
| Cc: Andrew Morton <akpm@linux-foundation.org> |
| Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> |
| Signed-off-by: Ingo Molnar <mingo@kernel.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| arch/x86/kernel/msr.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c |
| index 4d4468e9f47c..56b77410a9fe 100644 |
| --- a/arch/x86/kernel/msr.c |
| +++ b/arch/x86/kernel/msr.c |
| @@ -176,6 +176,9 @@ static int msr_open(struct inode *inode, struct file *file) |
| unsigned int cpu; |
| struct cpuinfo_x86 *c; |
| |
| + if (!capable(CAP_SYS_RAWIO)) |
| + return -EPERM; |
| + |
| cpu = iminor(file->f_path.dentry->d_inode); |
| if (cpu >= nr_cpu_ids || !cpu_online(cpu)) |
| return -ENXIO; /* No such CPU */ |
| -- |
| 1.8.5.2 |
| |