2015-09-11 14:10:27 +00:00
|
|
|
From 6306cad6e5663424c08e5ebdfdcfd799c5537bfe Mon Sep 17 00:00:00 2001
|
2014-08-20 17:22:24 +00:00
|
|
|
From: Matthew Garrett <matthew.garrett@nebula.com>
|
|
|
|
Date: Fri, 9 Aug 2013 03:33:56 -0400
|
2015-09-11 14:10:27 +00:00
|
|
|
Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
|
2014-08-20 17:22:24 +00:00
|
|
|
loading restrictions
|
|
|
|
|
|
|
|
kexec permits the loading and execution of arbitrary code in ring 0, which
|
|
|
|
is something that module signing enforcement is meant to prevent. It makes
|
|
|
|
sense to disable kexec in this situation.
|
|
|
|
|
|
|
|
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
|
|
---
|
|
|
|
kernel/kexec.c | 8 ++++++++
|
|
|
|
1 file changed, 8 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/kernel/kexec.c b/kernel/kexec.c
|
2015-09-11 14:10:27 +00:00
|
|
|
index 4c5edc357923..db431971dbd4 100644
|
2014-08-20 17:22:24 +00:00
|
|
|
--- a/kernel/kexec.c
|
|
|
|
+++ b/kernel/kexec.c
|
2015-09-11 14:10:27 +00:00
|
|
|
@@ -10,6 +10,7 @@
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/file.h>
|
|
|
|
#include <linux/kexec.h>
|
2014-08-20 17:22:24 +00:00
|
|
|
+#include <linux/module.h>
|
2015-09-11 14:10:27 +00:00
|
|
|
#include <linux/mutex.h>
|
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/syscalls.h>
|
|
|
|
@@ -133,6 +134,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
2014-08-20 17:22:24 +00:00
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
/*
|
|
|
|
+ * kexec can be used to circumvent module loading restrictions, so
|
|
|
|
+ * prevent loading in that case
|
|
|
|
+ */
|
|
|
|
+ if (secure_modules())
|
|
|
|
+ return -EPERM;
|
|
|
|
+
|
|
|
|
+ /*
|
|
|
|
* Verify we have a legal set of flags
|
|
|
|
* This leaves us room for future extensions.
|
|
|
|
*/
|
2015-09-09 15:10:06 +00:00
|
|
|
--
|
|
|
|
2.4.3
|
|
|
|
|