grsecurity forums

How secure is this, like can I access arbitrary memory regions as root. Memory can be accessed from other means than /dev/mem or /dev/kmem.

An example of this is rebooting the machine. Afaik it can be done by simply altering a byte in memory.

It's pretty secure if you use the memory protection enabled in the kernel in addition to the protection the acl provides.

Can this proofed? I don't know the kernel source very well, but what is the protection that is provided by grsecurity against BIOS/APIC/APCI access as root?

Either my question is trivial or wrongly put but I would still appreciate a comment from f.ex. splender to proof that since /dev/?mem is not the only way into machine's memory, that the security exists. There are several different methods which could be used to point into kernel / device memory regions. Is there anything to stop these other ways such as directly accessing the memory or other ways? If my question is trivial or somehow stupid please let me know as well.

cmouse wrote:Either my question is trivial or wrongly put but I would still appreciate a comment from f.ex. splender to proof that since /dev/?mem is not the only way into machine's memory, that the security exists. There are several different methods which could be used to point into kernel / device memory regions. Is there anything to stop these other ways such as directly accessing the memory or other ways? If my question is trivial or somehow stupid please let me know as well.

can you be more specific as to what methods (and the context in which they're to be used) you're talking about?

Sorry for delay...

Anyways, there are several ways you can access memory:
1. Just point it to ptr and attempt to read since root has access to all memory. Perhaps you can even write to it then?
2. Dig swap region.
3. Use some device as point-of-entry.

I am not expert on this field but people far advanced on this area told me that there are several methods root can access memory. I just wonder what ways are covered by grsecurity...

I think every process can only access its own memory. Even it is root. I think its only the kernel that can access all memory. Except through the special devices that grsecurity disables. (/dev/kmem etc.)

cmouse wrote:1. Just point it to ptr and attempt to read since root has access to all memory. Perhaps you can even write to it then?

This doesn't work, because pointers point to virtual address space, not physical address space. Memory protection is implemented in hardware and does not know or care whether the accessing process runs as root; only the kernel can make arbitrary mappings of physical memory. Userspace programs can only read/write memory that is not theirs via the kernel. Root does not have access to all memory, except through /dev/[k]mem.

oh and then there is the question about BIOS/ACPI regions. Are they protected as well from read/write from root?

You can't point at the BIOS or ACPI regions either whether you are root or not; they are just memory, the same as all other memory, and thus my above comment still applies. If any write access is granted to those regions via a proc/sysfs entry or via any kernel driver, then they'll be writable by whoever has permission to write to those entries (i.e. root); but I'm not aware of any such entries/drivers..

What about Computers with Firewire.

Firewire has direct memmory access, without involving of the cpu.

is there a possibility to restrict this access? maybe in the firewire driver?