From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752499AbdJSOvR (ORCPT ); Thu, 19 Oct 2017 10:51:17 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45524 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751855AbdJSOvP (ORCPT ); Thu, 19 Oct 2017 10:51:15 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E20DFC0587D9 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=dhowells@redhat.com Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down From: David Howells To: linux-security-module@vger.kernel.org Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, matthew.garrett@nebula.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com Date: Thu, 19 Oct 2017 15:51:09 +0100 Message-ID: <150842466996.7923.17995994984545441369.stgit@warthog.procyon.org.uk> In-Reply-To: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> References: <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 19 Oct 2017 14:51:15 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec in this situation. This does not affect kexec_file_load() which can check for a signature on the image to be booted. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Dave Young cc: kexec@lists.infradead.org --- kernel/kexec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index e62ec4dc6620..7dadfed9b676 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down("kexec of unsigned images")) + return -EPERM; + + /* * Verify we have a legal set of flags * This leaves us room for future extensions. */