• Alan Cox's avatar
    x86/msr: Add capabilities check · c903f045
    Alan Cox authored
    At the moment the MSR driver only relies upon file system
    checks. This means that anything as root with any capability set
    can write to MSRs. Historically that wasn't very interesting but
    on modern processors the MSRs are such that writing to them
    provides several ways to execute arbitary code in kernel space.
    Sample code and documentation on doing this is circulating and
    MSR attacks are used on Windows 64bit rootkits already.
    
    In the Linux case you still need to be able to open the device
    file so the impact is fairly limited and reduces the security of
    some capability and security model based systems down towards
    that of a generic "root owns the box" setup.
    
    Therefore they should require CAP_SYS_RAWIO to prevent an
    elevation of capabilities. The impact of this is fairly minimal
    on most setups because they don't have heavy use of
    capabilities. Those using SELinux, SMACK or AppArmor rules might
    want to consider if their rulesets on the MSR driver could be
    tighter.
    Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Horses <stable@kernel.org>
    Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
    c903f045
msr.c 6.49 KB