41 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			41 lines
		
	
	
		
			1.2 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From: Matthew Garrett <matthew.garrett@nebula.com>
 | |
| Date: Fri, 9 Aug 2013 03:33:56 -0400
 | |
| Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
 | |
|  loading restrictions
 | |
| 
 | |
| kexec permits the loading and execution of arbitrary code in ring 0, which
 | |
| is something that module signing enforcement is meant to prevent. It makes
 | |
| sense to disable kexec in this situation.
 | |
| 
 | |
| Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 | |
| ---
 | |
|  kernel/kexec.c | 8 ++++++++
 | |
|  1 file changed, 8 insertions(+)
 | |
| 
 | |
| diff --git a/kernel/kexec.c b/kernel/kexec.c
 | |
| index a785c1015e25..81d6b404f33c 100644
 | |
| --- a/kernel/kexec.c
 | |
| +++ b/kernel/kexec.c
 | |
| @@ -36,6 +36,7 @@
 | |
|  #include <linux/syscore_ops.h>
 | |
|  #include <linux/compiler.h>
 | |
|  #include <linux/hugetlb.h>
 | |
| +#include <linux/module.h>
 | |
|  
 | |
|  #include <asm/page.h>
 | |
|  #include <asm/uaccess.h>
 | |
| @@ -1258,6 +1259,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 | |
|  		return -EPERM;
 | |
|  
 | |
|  	/*
 | |
| +	 * kexec can be used to circumvent module loading restrictions, so
 | |
| +	 * prevent loading in that case
 | |
| +	 */
 | |
| +	if (secure_modules())
 | |
| +		return -EPERM;
 | |
| +
 | |
| +	/*
 | |
|  	 * Verify we have a legal set of flags
 | |
|  	 * This leaves us room for future extensions.
 | |
|  	 */
 |