Re: LockDown that allows read of /dev/mem ?

From: Enrico Weigelt, metux IT consult
Date: Mon Jun 21 2021 - 06:27:47 EST

Next message: Srinivas Kandagatla: "Re: [PATCH] regmap: move readable check before accessing regcache."
Previous message: Daniel Lezcano: "Re: [PATCH 1/2] clocksource/drivers/exynos_mct: Prioritise Arm arch timer on arm64"
In reply to: David F.: "LockDown that allows read of /dev/mem ?"
Next in thread: David F.: "Re: LockDown that allows read of /dev/mem ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 20.06.21 01:55, David F. wrote:

> I'm finding that LockDown Integrity prevents blocks things like mdadm,
> Xvesa, and a couple of my specialized tools. There should be an
> option to allow /dev/mem read access. Is there? There are no secrets
> to the boot disk booted environment it's all root.

Looks like conflict of goals. lockdown is used in scenarios where one
really doesn't take any chance that code running w/ root privileges can
do such things (there's a lot of security critical information one can
learn from reading the raw memory).

I wonder what your actual use case is.

* why are you using lockdown and also running everything as root ?
* why are you still using the old Xvesa instead of using KMS or
framebuffer device ?
* why does mdadm want to access /dev/mem ?

--mtx

--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@xxxxxxxxx -- +49-151-27565287

Next message: Srinivas Kandagatla: "Re: [PATCH] regmap: move readable check before accessing regcache."
Previous message: Daniel Lezcano: "Re: [PATCH 1/2] clocksource/drivers/exynos_mct: Prioritise Arm arch timer on arm64"
In reply to: David F.: "LockDown that allows read of /dev/mem ?"
Next in thread: David F.: "Re: LockDown that allows read of /dev/mem ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]