From: Peter Müller <peter.mueller@ipfire.org>
Date: Tue, 19 Apr 2022 13:57:35 +0000 (+0000)
Subject: linux: Disable LSM for /dev/io port access
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=5b966f1b0a0f191c7d79b1609c122c16a65d3bfc

linux: Disable LSM for /dev/io port access

flashrom needs access to /dev/io ports for flashing firmware, a
functionality we cannot cease to support. Therefore, LSM constraints are
disabled for ioport.c, hopefully permitting us to keep it enabled.

Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---

diff --git a/lfs/linux b/lfs/linux
index 91bba123bf..0deef74f26 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
 
+	# Unfortunately, /dev/io access is needed for firmware flashing; patch out LSM part in ioport.c
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
 	# Apply Arm-multiarch kernel patches.
 	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
new file mode 100644
index 0000000000..df7521d3bb
--- /dev/null
+++ b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
@@ -0,0 +1,30 @@
+--- linux-5.15.32.orig/arch/x86/kernel/ioport.c	2022-04-19 12:54:46.468477540 +0000
++++ linux-5.15.32/arch/x86/kernel/ioport.c	2022-04-19 12:56:21.423185714 +0000
+@@ -4,7 +4,6 @@
+  * by Linus. 32/64 bits code unification by Miguel BotÃ³n.
+  */
+ #include <linux/capability.h>
+-#include <linux/security.h>
+ #include <linux/syscalls.h>
+ #include <linux/bitmap.h>
+ #include <linux/ioport.h>
+@@ -70,8 +69,7 @@
+ 
+ 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ 		return -EINVAL;
+-	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+-			security_locked_down(LOCKDOWN_IOPORT)))
++	if (turn_on && (!capable(CAP_SYS_RAWIO)))
+ 		return -EPERM;
+ 
+ 	/*
+@@ -186,8 +184,7 @@
+ 
+ 	/* Trying to gain more privileges? */
+ 	if (level > old) {
+-		if (!capable(CAP_SYS_RAWIO) ||
+-		    security_locked_down(LOCKDOWN_IOPORT))
++		if (!capable(CAP_SYS_RAWIO))
+ 			return -EPERM;
+ 	}
+