Re: [PATCH] kernel: Restrict permissions of /proc/iomem.
From: Andrew Morton
Date: Fri Oct 25 2019 - 17:32:25 EST
On Fri, 25 Oct 2019 16:56:41 +0800 zhanglin <zhang.lin16@xxxxxxxxxx> wrote:
> The permissions of /proc/iomem currently are -r--r--r--. Everyone can
> see its content. As iomem contains information about the physical memory
> content of the device, restrict the information only to root.
>
> ...
>
> --- a/kernel/resource.c
> +++ b/kernel/resource.c
> @@ -139,7 +139,8 @@ static int __init ioresources_init(void)
> {
> proc_create_seq_data("ioports", 0, NULL, &resource_op,
> &ioport_resource);
> - proc_create_seq_data("iomem", 0, NULL, &resource_op, &iomem_resource);
> + proc_create_seq_data("iomem", S_IRUSR, NULL, &resource_op,
> + &iomem_resource);
> return 0;
> }
> __initcall(ioresources_init);
It's risky to change things like this - heaven knows which userspace
applications might break.
Possibly we could obfuscate the information if that is considered
desirable. Why is this a problem anyway? What are the possible
exploit scenarios?
Can't the same info be obtained by running dmesg and looking at the
startup info?
Can't the user who is concerned about this run chmod 0400 /proc/iomem
at boot?
Maybe Kees has an opinion?