diff options
author | Laura Abbott <labbott@fedoraproject.org> | 2015-09-01 15:03:08 -0700 |
---|---|---|
committer | Laura Abbott <labbott@fedoraproject.org> | 2015-09-01 15:59:56 -0700 |
commit | d07b889185195409a6090ed3e12fff475b4258f4 (patch) | |
tree | c2b98784a9c45c2ba5420c4a256c03d1c1c2e125 /kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch | |
parent | 07775e21b6d0c7b9c2251deb8cb5ef3052a38c6e (diff) | |
download | kernel-d07b889185195409a6090ed3e12fff475b4258f4.tar.gz kernel-d07b889185195409a6090ed3e12fff475b4258f4.tar.xz kernel-d07b889185195409a6090ed3e12fff475b4258f4.zip |
Linux v4.2
This is a squashed patch of the history from F22 + the 4.2 rebase
Diffstat (limited to 'kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch')
-rw-r--r-- | kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch new file mode 100644 index 000000000..5e2d79ec3 --- /dev/null +++ b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -0,0 +1,40 @@ +From: Matthew Garrett <matthew.garrett@nebula.com> +Date: Fri, 9 Aug 2013 03:33:56 -0400 +Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module + loading restrictions + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that module signing enforcement is meant to prevent. It makes +sense to disable kexec in this situation. + +Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> +--- + kernel/kexec.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index 38c25b1f2fd5..f2b5272156ce 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -36,6 +36,7 @@ + #include <linux/syscore_ops.h> + #include <linux/compiler.h> + #include <linux/hugetlb.h> ++#include <linux/module.h> + + #include <asm/page.h> + #include <asm/uaccess.h> +@@ -1247,6 +1248,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + return -EPERM; + + /* ++ * kexec can be used to circumvent module loading restrictions, so ++ * prevent loading in that case ++ */ ++ if (secure_modules()) ++ return -EPERM; ++ ++ /* + * Verify we have a legal set of flags + * This leaves us room for future extensions. + */ |