summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorNathan Lynch <nathanl@linux.ibm.com>2022-09-26 08:16:42 -0500
committerMichael Ellerman <mpe@ellerman.id.au>2022-09-28 19:22:14 +1000
commit99df7a2810b6d24651d4887ab61a142e042fb235 (patch)
tree8971794e78eac8ad3319c45cade3a702d91dc244 /security
parent6bd7ff497b4af13ea3d53781ffca7dc744dbb4da (diff)
downloadlinux-99df7a2810b6d24651d4887ab61a142e042fb235.tar.gz
linux-99df7a2810b6d24651d4887ab61a142e042fb235.tar.bz2
linux-99df7a2810b6d24651d4887ab61a142e042fb235.zip
powerpc/pseries: block untrusted device tree changes when locked down
The /proc/powerpc/ofdt interface allows the root user to freely alter the in-kernel device tree, enabling arbitrary physical address writes via drivers that could bind to malicious device nodes, thus making it possible to disable lockdown. Historically this interface has been used on the pseries platform to facilitate the runtime addition and removal of processor, memory, and device resources (aka Dynamic Logical Partitioning or DLPAR). Years ago, the processor and memory use cases were migrated to designs that happen to be lockdown-friendly: device tree updates are communicated directly to the kernel from firmware without passing through untrusted user space. I/O device DLPAR via the "drmgr" command in powerpc-utils remains the sole legitimate user of /proc/powerpc/ofdt, but it is already broken in lockdown since it uses /dev/mem to allocate argument buffers for the rtas syscall. So only illegitimate uses of the interface should see a behavior change when running on a locked down kernel. Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> Acked-by: Paul Moore <paul@paul-moore.com> (LSM) Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20220926131643.146502-2-nathanl@linux.ibm.com
Diffstat (limited to 'security')
-rw-r--r--security/security.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 14d30fec8a00..400ab5de631e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -52,6 +52,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_IOPORT] = "raw io port access",
[LOCKDOWN_MSR] = "raw MSR access",
[LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",
+ [LOCKDOWN_DEVICE_TREE] = "modifying device tree contents",
[LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",
[LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",
[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",