summaryrefslogtreecommitdiffstats
path: root/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
diff options
context:
space:
mode:
Diffstat (limited to 'kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch')
-rw-r--r--kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch44
1 files changed, 0 insertions, 44 deletions
diff --git a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
deleted file mode 100644
index ec8675eb4..000000000
--- a/kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 85968a9f0b3f05c56d4ac4002748f3412a9baab0 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
- loading restrictions
-
-kexec permits the loading and execution of arbitrary code in ring 0, which
-is something that module signing enforcement is meant to prevent. It makes
-sense to disable kexec in this situation.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- kernel/kexec.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 980936a90ee6..fce28bf7d5d7 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -12,6 +12,7 @@
- #include <linux/mm.h>
- #include <linux/file.h>
- #include <linux/kexec.h>
-+#include <linux/module.h>
- #include <linux/mutex.h>
- #include <linux/list.h>
- #include <linux/syscalls.h>
-@@ -194,6 +195,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- return -EPERM;
-
- /*
-+ * kexec can be used to circumvent module loading restrictions, so
-+ * prevent loading in that case
-+ */
-+ if (secure_modules())
-+ return -EPERM;
-+
-+ /*
- * Verify we have a legal set of flags
- * This leaves us room for future extensions.
- */
---
-2.9.3
-