Re: restricting access to /dev/mem
Posted Aug 9, 2006 2:12 UTC (Wed) by bluefoxicy
In reply to: Re: restricting access to /dev/mem
Parent article: Kernel Summit 2005: The ExecShield patches
>> We don't want to give blanket /dev/mem access _even to processes
>> that are allowed to read/write the safe portions of it_
>> (i.e. X.org).
>I agree, I don't want to do this either. That's why I drop SYS_RAWIO (and >CAP_SYS_MODULE, CAP_SYS_ADMIN, etc) in my boot scripts.
What Ingo is saying is he wants to do like grsecurity does and block access to /dev/mem EXCEPT for video memory. Xorg would be able to mmap() video memory in through /dev/mem; but it wouldn't be able to touch kernel memory through the same interface.
grsecurity does this so at worst an attacker can hijack X and totally screw up your video and maybe crash your system in the process (touching the video card wrong is BAD); they're just learning from really good example. It's a much more fine-grained model than CAP_SYS_RAWIO because it's not straight "you can have /dev/mem or you can't."
to post comments)