diff options
Diffstat (limited to 'secure-modules.patch')
-rw-r--r-- | secure-modules.patch | 74 |
1 files changed, 37 insertions, 37 deletions
diff --git a/secure-modules.patch b/secure-modules.patch index 0c93fa51b..478c62ff5 100644 --- a/secure-modules.patch +++ b/secure-modules.patch @@ -1,7 +1,7 @@ Bugzilla: N/A Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd -From b0466e5c5483957f8ca30b8f1bcf60bbad9d40aa Mon Sep 17 00:00:00 2001 +From 0f81a4461431941c17ff26fd3d5e284ede4a368a Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/14] Add secure_modules() call @@ -17,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 2 files changed, 17 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index eaf60ff9ba94..5ab9d81e3b96 100644 +index f520a767c86c..fc9b54eb779e 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -512,6 +512,8 @@ int unregister_module_notifier(struct notifier_block *nb); +@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block *nb); extern void print_modules(void); @@ -29,7 +29,7 @@ index eaf60ff9ba94..5ab9d81e3b96 100644 #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ -@@ -622,6 +624,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) +@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) static inline void print_modules(void) { } @@ -42,10 +42,10 @@ index eaf60ff9ba94..5ab9d81e3b96 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 8dc7f5e80dd8..62f9b72bf85e 100644 +index 11869408f79b..2b9204fe055f 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3833,3 +3833,13 @@ void module_layout(struct module *mod, +@@ -3835,3 +3835,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -63,7 +63,7 @@ index 8dc7f5e80dd8..62f9b72bf85e 100644 1.8.5.3 -From 3df1daaa8cd3c8450fd8fda62ff4836eddbf0f09 Mon Sep 17 00:00:00 2001 +From 806c4ee0e6484b529b88b3d0ceb49f6edf96ae11 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is @@ -182,7 +182,7 @@ index 24750a1b39b6..fa57896b97dd 100644 1.8.5.3 -From c14a3599cdf71ccd6ea47e8b404412b8e7a5c1b3 Mon Sep 17 00:00:00 2001 +From 16ee82e2add8684e374451e6ba34be3ee41e4ef1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/14] x86: Lock down IO port access when module security is @@ -255,7 +255,7 @@ index 917403fe10da..cdf839f9defe 100644 1.8.5.3 -From ccbc02eee179074b13acc2d7dfd17835726a579a Mon Sep 17 00:00:00 2001 +From 2fd4b35393b19cde87e4770d3b85d12760e72f6a Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/14] ACPI: Limit access to custom_method @@ -287,7 +287,7 @@ index c68e72414a67..4277938af700 100644 1.8.5.3 -From b40f05f5ec470bc59f41ca7ce66ea09614db60ea Mon Sep 17 00:00:00 2001 +From 543d64276237adb782ec30a5dab67d0b21afc1d4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module @@ -342,7 +342,7 @@ index c5e082fb82fa..03c57fc8de8a 100644 1.8.5.3 -From bfa6f400f5e0f98772f3c77b60d8ac3d39b080a8 Mon Sep 17 00:00:00 2001 +From 6e2fec5547b597c43ca72e34729b8a402660a7c1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is @@ -385,7 +385,7 @@ index cdf839f9defe..c63cf93b00eb 100644 1.8.5.3 -From e399403d8b74cbbb23ead4e43b70b4d82ee00402 Mon Sep 17 00:00:00 2001 +From 358cea0a54f726fa61839b411f3f54284d4588bf Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module @@ -401,7 +401,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 27f84af4e337..bd3ac0947890 100644 +index f7fd72ac69cf..ccdae1c8c386 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -44,6 +44,7 @@ @@ -425,7 +425,7 @@ index 27f84af4e337..bd3ac0947890 100644 1.8.5.3 -From 686268dea5fa802409d99f964005bc57d62f6b04 Mon Sep 17 00:00:00 2001 +From 89751b3ad4dea7cf5b806cd14126dd70657a9148 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 03:33:56 -0400 Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module @@ -441,18 +441,18 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 45601cf41bee..d5819bb45bec 100644 +index c8380ad203bc..e6eb239f567a 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -32,6 +32,7 @@ - #include <linux/vmalloc.h> +@@ -33,6 +33,7 @@ #include <linux/swap.h> #include <linux/syscore_ops.h> + #include <linux/compiler.h> +#include <linux/module.h> #include <asm/page.h> #include <asm/uaccess.h> -@@ -947,6 +948,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -948,6 +949,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* @@ -470,7 +470,7 @@ index 45601cf41bee..d5819bb45bec 100644 1.8.5.3 -From 4a1068eb94b99cab1d31a8a87eea9aafb39bcea0 Mon Sep 17 00:00:00 2001 +From 31174421a7103571a1c3faf7ba27d4045e5fbc18 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Tue, 3 Sep 2013 11:23:29 -0400 Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted @@ -510,7 +510,7 @@ index 98d357584cd6..efe99dee9510 100644 1.8.5.3 -From 569d0384d6846dae76910d5104666f11597a6a78 Mon Sep 17 00:00:00 2001 +From ea5cf8801db979fa7d5f90ab3faf72eb22490f9b Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is @@ -527,7 +527,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com> 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 05266b5aae22..e2bd647f676e 100644 +index c9603ac80de5..8bef43fc3f40 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, @@ -555,7 +555,7 @@ index 05266b5aae22..e2bd647f676e 100644 1.8.5.3 -From bca29272512c8646bf2feaf304a0eceb05c0d0c0 Mon Sep 17 00:00:00 2001 +From 2985684ff78972bde7ebf1e295b52afd9bea29e0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <matthew.garrett@nebula.com> Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 11/14] Add option to automatically enforce module signatures @@ -591,10 +591,10 @@ index 199f453cb4de..ec38acf00b40 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 26237934ac87..e27b78bcca34 100644 +index 5b8ec0f53b57..085d5eb36361 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1597,6 +1597,16 @@ config EFI_MIXED +@@ -1534,6 +1534,16 @@ config EFI_MIXED If unsure, say N. @@ -687,10 +687,10 @@ index 225b0988043a..90dbfb73e11f 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index fa511acff7e6..aa227f68687c 100644 +index 09c76d265550..5a61d732fd5c 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1143,6 +1143,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -704,10 +704,10 @@ index fa511acff7e6..aa227f68687c 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index 5ab9d81e3b96..83144dd56ff0 100644 +index fc9b54eb779e..7377bc851461 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -191,6 +191,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); +@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); struct notifier_block; @@ -721,10 +721,10 @@ index 5ab9d81e3b96..83144dd56ff0 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 62f9b72bf85e..dcfb07ae5e4e 100644 +index 2b9204fe055f..2b8cc2d57c16 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3834,6 +3834,13 @@ void module_layout(struct module *mod, +@@ -3836,6 +3836,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -742,7 +742,7 @@ index 62f9b72bf85e..dcfb07ae5e4e 100644 1.8.5.3 -From 67ff850d16232e30c39109d29510d2a4aef34de9 Mon Sep 17 00:00:00 2001 +From b2e4ea728ccab2befbd5fe1bd834881a7dd8f34b Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@redhat.com> Date: Tue, 5 Feb 2013 19:25:05 -0500 Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode @@ -801,7 +801,7 @@ index b00745ff398a..bf42cc5f083d 100644 1.8.5.3 -From 53645ba848224ee81978b17c5e5328dca798466f Mon Sep 17 00:00:00 2001 +From fb418c682d01c447d30b5591a591fdbf33b1334e Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -815,10 +815,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index e27b78bcca34..dfd068b32cdc 100644 +index 085d5eb36361..3e8d398a976d 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1598,7 +1598,8 @@ config EFI_MIXED +@@ -1535,7 +1535,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -832,7 +832,7 @@ index e27b78bcca34..dfd068b32cdc 100644 1.8.5.3 -From e5b7eaf1b5d04ec739464b6e2df21c666d060c69 Mon Sep 17 00:00:00 2001 +From 87bf357dd4589cfca043ec4b641b912a088b1234 Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@fedoraproject.org> Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit @@ -847,10 +847,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index aa227f68687c..c7cf7919b3c4 100644 +index 5a61d732fd5c..23fe9bf3c401 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { |