Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933835AbdDERQK (ORCPT ); Wed, 5 Apr 2017 13:16:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39744 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933373AbdDERLD (ORCPT ); Wed, 5 Apr 2017 13:11:03 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 97F7C61D1A Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dhowells@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 97F7C61D1A Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 07/24] kexec: Disable at runtime if the kernel is locked down From: David Howells To: linux-kernel@vger.kernel.org Cc: matthew.garrett@nebula.com, linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, gregkh@linuxfoundation.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Date: Wed, 05 Apr 2017 18:10:59 +0100 Message-ID: <149141225975.31282.16979443562841170389.stgit@warthog.procyon.org.uk> In-Reply-To: <149141219387.31282.6648284836568938717.stgit@warthog.procyon.org.uk> References: <149141219387.31282.6648284836568938717.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 05 Apr 2017 17:11:02 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1019 Lines: 34 From: Matthew Garrett kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec in this situation. This does not affect kexec_file_load() which can check for a signature on the image to be booted. Signed-off-by: Matthew Garrett Signed-off-by: David Howells --- kernel/kexec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 980936a90ee6..46de8e6b42f4 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down()) + return -EPERM; + + /* * Verify we have a legal set of flags * This leaves us room for future extensions. */