• Arjan van de Ven's avatar
    x86: introduce /dev/mem restrictions with a config option · ae531c26
    Arjan van de Ven authored
    This patch introduces a restriction on /dev/mem: Only non-memory can be
    read or written unless the newly introduced config option is set.
    
    The X server needs access to /dev/mem for the PCI space, but it doesn't need
    access to memory; both the file permissions and SELinux permissions of /dev/mem
    just make X effectively super-super powerful. With the exception of the
    BIOS area, there's just no valid app that uses /dev/mem on actual memory.
    Other popular users of /dev/mem are rootkits and the like.
    (note: mmap access of memory via /dev/mem was already not allowed since
    a really long time)
    
    People who want to use /dev/mem for kernel debugging can enable the config
    option.
    
    The restrictions of this patch have been in the Fedora and RHEL kernels for
    at least 4 years without any problems.
    Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
    Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    ae531c26
page.h 4.28 KB