Kconfig: Make config Filter access to /dev/mem default y
in [Kernel]
|
Prev: [Question] integrating KDB with linux kernel
Next: drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM
From: Michal Svoboda on 15 Apr 2010 02:40 Xiaotian Feng wrote: > Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM > is not set, the /dev/mem access is filtered in pat code. If that option doesn't add any protection, what's it good for?
From: Jiri Kosina on 15 Apr 2010 06:50 On Thu, 15 Apr 2010, Michal Svoboda wrote: > > Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM > > is not set, the /dev/mem access is filtered in pat code. > > If that option doesn't add any protection, what's it good for? Access to /dev/mem being filtered in PAT obviously applies only to x86. Architectures which don't do such filtering in their respective phys_mem_access_prot_allowed() still need this option. -- Jiri Kosina SUSE Labs, Novell Inc. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Alan Cox on 15 Apr 2010 07:00 On Thu, 15 Apr 2010 08:36:26 +0200 Michal Svoboda <michal.svoboda(a)agents.felk.cvut.cz> wrote: > Xiaotian Feng wrote: > > Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM > > is not set, the /dev/mem access is filtered in pat code. > > If that option doesn't add any protection, what's it good for? PAT is x86 specific -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Michal Svoboda on 15 Apr 2010 09:50 Jiri Kosina wrote: > Access to /dev/mem being filtered in PAT obviously applies only to x86. > > Architectures which don't do such filtering in their respective > phys_mem_access_prot_allowed() still need this option. So why not use it for all archs uniformly? Is PAT filtering better in some ways? Michal Svoboda
From: Alan Cox on 15 Apr 2010 10:00
On Thu, 15 Apr 2010 15:41:53 +0200 Michal Svoboda <michal.svoboda(a)agents.felk.cvut.cz> wrote: > Jiri Kosina wrote: > > Access to /dev/mem being filtered in PAT obviously applies only to x86. > > > > Architectures which don't do such filtering in their respective > > phys_mem_access_prot_allowed() still need this option. > > So why not use it for all archs uniformly? Is PAT filtering better in > some ways? PAT is an x86 specific hardware feature. The x86 processors can set per page caching properties as with some other CPU designs. In the x86 case all references to the page must have the same cache settings so the PAT implementation has to filter /dev/mem access to avoid machine check errors. It's not implemented as a security feature, its a side effect of the hardware requirements on that CPU range. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |