LIDS Hacking HOWTO: Protect Devices , Raw I/O access.

3. Protect Devices , Raw I/O access.

Devices in linux are present as files in "/dev/", we can use the method of protecting files above to protect devices. But in some case, user can also use the IO operation to bypass the filesystem to read/write the device, we must consider that case.

3.1 Device, Raw I/O in kernel

Devices in GNU/Linux system are present as files, so we can protect it using the same method as protecting filesystem.

User space raw I/O access is proformed by the system call sys_operm and sys_iopl. You can have a look at /usr/src/linux/arch/i386/kernel/ioport.c. This is a archetecture dependence and if we port to other hardware platform, we need to take care about that.

3.2 How to protect by LIDS.

Most of time, application do not need to access the device via the device file name in "/dev/". But some paticular application need to access it directly, such as the X Server, which will write to the /dev/mem and even raw I/O. We need some exception when protect the device. LIDS define the exeception when configurate the Kernel.

CONFIG_LIDS_ALLOW_DEV_MEM, If you selecte it on, you can allow some specified program to access the /dev/mem and /dev/kmem which is very critical for the kernel. If you want to use X Server System in the kernel, select this and provide the whole path and filename when configurate the kernel.
CONFIG_LIDS_ALLOW_RAW_DISKS, If you select it on, you can allow some specified program to access the raw disk.
CONFIG_LIDS_ALLOW_IO_PORTS, If you selecte it on, you can allow some specified program to access the I/O port.

The initialization is called when the system in init_vfs_security() infs/lids.c.



#ifdef CONFIG_LIDS_ALLOW_DEV_MEM
        lids_fill_table(allow_dev_mem,&last_dev_mem,LIDS_MAX_ALLOWED,CONFIG_LIDS_DEV_MEM_PROGS);
#endif

#ifdef CONFIG_LIDS_ALLOW_RAW_DISKS
        lids_fill_table(allow_raw_disks,&last_raw_disks,LIDS_MAX_ALLOWED,CONFIG_LIDS_RAW_DISKS_PROGS);
#endif

#ifdef CONFIG_LIDS_ALLOW_IO_PORTS
        lids_fill_table(allow_io_ports,&last_io_ports,LIDS_MAX_ALLOWED,CONFIG_LIDS_IO_PORTS_PROGS);
#endif

And then, when a process(program) want to access the io port or raw disks directly, LIDS will check if it is an exeception defined in arrary (allow_raw_disks , last_io_ports,etc.). The checking is performed by lids_search_inode(inode) which is called by lids_check_base().

For example, let's look at the CONFIG_LIDS_ALLOW_DEV_MEM.



/* in lids_search_inode() */

#ifdef CONFIG_LIDS_ALLOW_DEV_MEM
        for( i = 0 ; i < last_dev_mem ;i++ ) {
                if ( allow_dev_mem[i].ino == ino && allow_dev_mem[i].dev == dev) {
                        return LIDS_READONLY;
                }
        }
#endif
#ifdef CONFIG_LIDS_ALLOW_RAW_DISKS

We can see that the allow_dev_mem contains the inodes of the allowed programs which are initialized in the init_vfs_security() when booting. Using the same method, we can protect raw device ,I/O access, etc, except some specified programs.

Next Previous Contents