From 5b966f1b0a0f191c7d79b1609c122c16a65d3bfc Mon Sep 17 00:00:00 2001
From: =?utf8?q?Peter=20M=C3=BCller?= <peter.mueller@ipfire.org>
Date: Tue, 19 Apr 2022 13:57:35 +0000
Subject: [PATCH] linux: Disable LSM for /dev/io port access
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

flashrom needs access to /dev/io ports for flashing firmware, a
functionality we cannot cease to support. Therefore, LSM constraints are
disabled for ioport.c, hopefully permitting us to keep it enabled.

Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter MÃ¼ller <peter.mueller@ipfire.org>
---
 lfs/linux                                     |  3 ++
 ....15.32-disable_lsm_for_ioport_access.patch | 30 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch

diff --git a/lfs/linux b/lfs/linux
index 91bba123bf..0deef74f26 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
 
+	# Unfortunately, /dev/io access is needed for firmware flashing; patch out LSM part in ioport.c
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
 	# Apply Arm-multiarch kernel patches.
 	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
new file mode 100644
index 0000000000..df7521d3bb
--- /dev/null
+++ b/src/patches/linux/linux-5.15.32-disable_lsm_for_ioport_access.patch
@@ -0,0 +1,30 @@
+--- linux-5.15.32.orig/arch/x86/kernel/ioport.c	2022-04-19 12:54:46.468477540 +0000
++++ linux-5.15.32/arch/x86/kernel/ioport.c	2022-04-19 12:56:21.423185714 +0000
+@@ -4,7 +4,6 @@
+  * by Linus. 32/64 bits code unification by Miguel BotÃ³n.
+  */
+ #include <linux/capability.h>
+-#include <linux/security.h>
+ #include <linux/syscalls.h>
+ #include <linux/bitmap.h>
+ #include <linux/ioport.h>
+@@ -70,8 +69,7 @@
+ 
+ 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ 		return -EINVAL;
+-	if (turn_on && (!capable(CAP_SYS_RAWIO) ||
+-			security_locked_down(LOCKDOWN_IOPORT)))
++	if (turn_on && (!capable(CAP_SYS_RAWIO)))
+ 		return -EPERM;
+ 
+ 	/*
+@@ -186,8 +184,7 @@
+ 
+ 	/* Trying to gain more privileges? */
+ 	if (level > old) {
+-		if (!capable(CAP_SYS_RAWIO) ||
+-		    security_locked_down(LOCKDOWN_IOPORT))
++		if (!capable(CAP_SYS_RAWIO))
+ 			return -EPERM;
+ 	}
+ 
-- 
2.39.5