diff options
author | David Howells <dhowells@redhat.com> | 2019-08-19 17:17:57 -0700 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2019-08-19 21:54:16 -0700 |
commit | 02e935bf5b34edcc4cb0dc532dd0e1a1bfb33b51 (patch) | |
tree | d1029d3f5dccd6dbba74b1d0b445fa2b5ee4ffb4 /fs/proc | |
parent | 906357f77a077508d160e729f917c5f0a4304f25 (diff) |
lockdown: Lock down /proc/kcore
Disallow access to /proc/kcore when the kernel is locked down to prevent
access to cryptographic data. This is limited to lockdown
confidentiality mode and is still permitted in integrity mode.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'fs/proc')
-rw-r--r-- | fs/proc/kcore.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index f5834488b67d..ee2c576cc94e 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -31,6 +31,7 @@ #include <linux/ioport.h> #include <linux/memory.h> #include <linux/sched/task.h> +#include <linux/security.h> #include <asm/sections.h> #include "internal.h" @@ -545,6 +546,10 @@ out: static int open_kcore(struct inode *inode, struct file *filp) { + int ret = security_locked_down(LOCKDOWN_KCORE); + + if (ret) + return ret; if (!capable(CAP_SYS_RAWIO)) return -EPERM; |