x86: introduce /dev/mem restrictions with a config option
This patch introduces a restriction on /dev/mem: Only non-memory can be read or written unless the newly introduced config option is set. The X server needs access to /dev/mem for the PCI space, but it doesn't need access to memory; both the file permissions and SELinux permissions of /dev/mem just make X effectively super-super powerful. With the exception of the BIOS area, there's just no valid app that uses /dev/mem on actual memory. Other popular users of /dev/mem are rootkits and the like. (note: mmap access of memory via /dev/mem was already not allowed since a really long time) People who want to use /dev/mem for kernel debugging can enable the config option. The restrictions of this patch have been in the Fedora and RHEL kernels for at least 4 years without any problems. Signed-off-by:Arjan van de Ven <arjan@linux.intel.com> Signed-off-by:
Showing
- arch/x86/Kconfig.debug 12 additions, 0 deletionsarch/x86/Kconfig.debug
- arch/x86/mm/init_32.c 19 additions, 0 deletionsarch/x86/mm/init_32.c
- arch/x86/mm/init_64.c 20 additions, 0 deletionsarch/x86/mm/init_64.c
- drivers/char/mem.c 28 additions, 0 deletionsdrivers/char/mem.c
- include/asm-x86/page.h 1 addition, 0 deletionsinclude/asm-x86/page.h
Loading
Please register or sign in to comment