Package: src:linux Version: 4.19.67-2+deb10u2 Severity: normal Dear Maintainer,
echoing "x" into /proc/sysrq-trigger disables kernel lockdown, even though it shouldn't. Kernel lockdown is meant to create a barrier between root and the kernel that can only be broken with physical access to the system. But a bug in debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch allows root to easily circumvent this security measure: vagrant@buster:~$ cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown vagrant@buster:~$ sudo dmesg | grep locked [ 0.000000] Kernel is locked down from command line; see https://wiki.debian.org/SecureBoot vagrant@buster:~$ sudo sysctl kernel.sysrq=1 kernel.sysrq = 1 vagrant@buster:~$ sudo sh -c "echo x > /proc/sysrq-trigger" vagrant@buster:~$ sudo dmesg | tail [ 3.050592] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device [ 3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on minor 0 [ 3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 3.223529] Adding 1045500k swap on /dev/sda5. Priority:-2 extents:1 across:1045500k FS [ 5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX [ 5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 42.660726] sysrq: SysRq : [ 42.660728] This sysrq operation is disabled from userspace. [ 42.660797] Disabling Secure Boot restrictions [ 42.660830] Lifting lockdown I already reported this bug to Ubuntu at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851380 but it also affects Debian. (There's a bit more context and a patch in that bug report.) Looking at the patch on salsa I think that this bug doesn't just exist in Buster, but that's the version I used to test it. Best regards, Niklas Sombert -- Package-specific info: ** Version: Linux version 4.19.0-6-amd64 (debian-ker...@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) ** Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown ** Tainted: C (1024) * Module from drivers/staging has been loaded. ** Kernel log: [ 1.080252] Loading compiled-in X.509 certificates [ 1.123039] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' [ 1.123062] Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def' [ 1.123095] zswap: loaded using pool lzo/zbud [ 1.123659] AppArmor: AppArmor sha1 policy hashing enabled [ 1.124095] rtc_cmos rtc_cmos: setting system clock to 2019-12-19 14:23:08 UTC (1576765388) [ 1.124123] Lockdown: Hibernation is restricted; see https://wiki.debian.org/SecureBoot [ 1.125951] Freeing unused kernel image memory: 1584K [ 1.148274] Write protecting the kernel read-only data: 16384k [ 1.150291] Freeing unused kernel image memory: 2028K [ 1.150967] Freeing unused kernel image memory: 772K [ 1.165327] x86/mm: Checked W+X mappings: passed, no W+X pages found. [ 1.165329] x86/mm: Checking user space page tables [ 1.173508] x86/mm: Checked W+X mappings: passed, no W+X pages found. [ 1.173511] Run /init as init process [ 1.274579] piix4_smbus 0000:00:07.0: SMBus Host Controller at 0x4100, revision 0 [ 1.280038] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI [ 1.280040] e1000: Copyright (c) 1999-2006 Intel Corporation. [ 1.288044] SCSI subsystem initialized [ 1.297356] FDC 0 is an 82078. [ 1.306225] cryptd: max_cpu_qlen set to 1000 [ 1.317316] libata version 3.00 loaded. [ 1.323785] ahci 0000:00:0d.0: version 3.0 [ 1.324687] ahci 0000:00:0d.0: SSS flag set, parallel bus scan disabled [ 1.324882] ahci 0000:00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 impl SATA mode [ 1.324884] ahci 0000:00:0d.0: flags: 64bit ncq stag only ccc [ 1.325243] scsi host0: ahci [ 1.325387] ata1: SATA max UDMA/133 abar m8192@0xf0804000 port 0xf0804100 irq 21 [ 1.336127] AVX2 version of gcm_enc/dec engaged. [ 1.336128] AES CTR mode by8 optimization enabled [ 1.553903] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input2 [ 1.647971] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300) [ 1.648249] ata1.00: ATA-6: VBOX HARDDISK, 1.0, max UDMA/133 [ 1.648253] ata1.00: 41533440 sectors, multi 128: LBA48 NCQ (depth 32) [ 1.649141] ata1.00: configured for UDMA/133 [ 1.652372] scsi 0:0:0:0: Direct-Access ATA VBOX HARDDISK 1.0 PQ: 0 ANSI: 5 [ 1.661577] sd 0:0:0:0: [sda] 41533440 512-byte logical blocks: (21.3 GB/19.8 GiB) [ 1.661585] sd 0:0:0:0: [sda] Write Protect is off [ 1.661587] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00 [ 1.661596] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 1.662652] sda: sda1 sda2 < sda5 > [ 1.662960] sd 0:0:0:0: [sda] Attached SCSI disk [ 1.726642] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 08:00:27:8d:c0:4d [ 1.726649] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection [ 1.925326] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null) [ 2.173566] systemd[1]: Inserted module 'autofs4' [ 2.192803] systemd[1]: systemd 241 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid) [ 2.192854] systemd[1]: Detected virtualization oracle. [ 2.192860] systemd[1]: Detected architecture x86-64. [ 2.203626] systemd[1]: Set hostname to <buster>. [ 2.204816] systemd[1]: Failed to bump fs.file-max, ignoring: Invalid argument [ 2.208030] Lockdown: BPF is restricted; see https://wiki.debian.org/SecureBoot [ 2.276511] systemd[1]: File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling. [ 2.276515] systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.) [ 2.341968] systemd[1]: Listening on udev Control Socket. [ 2.350693] systemd[1]: Created slice system-getty.slice. [ 2.350718] systemd[1]: Reached target Remote File Systems. [ 2.437728] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro [ 2.561461] systemd-journald[211]: Received request to flush runtime journal from PID 1 [ 2.716029] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input3 [ 2.717863] ACPI: Power Button [PWRF] [ 2.718080] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input4 [ 2.718097] ACPI: Sleep Button [SLPF] [ 2.730497] ACPI: AC Adapter [AC] (on-line) [ 2.750810] battery: ACPI: Battery Slot [BAT0] (battery present) [ 2.773327] ACPI: Video Device [GFX0] (multi-head: yes rom: no post: no) [ 2.773420] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/LNXVIDEO:00/input/input5 [ 2.779831] vboxguest: host-version: 5.2.34r133883 0x1 [ 2.781683] vbg_heartbeat_init: Setting up heartbeat to trigger every 2000 milliseconds [ 2.781868] input: VirtualBox mouse integration as /devices/pci0000:00/0000:00:04.0/input/input6 [ 2.798688] vboxguest: misc device minor 58, IRQ 20, I/O port d020, MMIO at 0x00000000f0400000 (size 0x0000000000400000) [ 2.817525] input: PC Speaker as /devices/platform/pcspkr/input/input7 [ 2.841065] sd 0:0:0:0: Attached scsi generic sg0 type 0 [ 2.869452] RAPL PMU: API unit is 2^-32 Joules, 4 fixed counters, 10737418240 ms ovfl timer [ 2.869454] RAPL PMU: hw unit of domain pp0-core 2^-0 Joules [ 2.869455] RAPL PMU: hw unit of domain package 2^-0 Joules [ 2.869456] RAPL PMU: hw unit of domain dram 2^-0 Joules [ 2.869456] RAPL PMU: hw unit of domain pp1-gpu 2^-0 Joules [ 2.961287] audit: type=1400 audit(1576765390.336:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=268 comm="apparmor_parser" [ 2.961291] audit: type=1400 audit(1576765390.336:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=268 comm="apparmor_parser" [ 2.961650] audit: type=1400 audit(1576765390.336:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=267 comm="apparmor_parser" [ 2.961652] audit: type=1400 audit(1576765390.336:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=267 comm="apparmor_parser" [ 2.961654] audit: type=1400 audit(1576765390.336:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=267 comm="apparmor_parser" [ 3.030128] vboxvideo: module is from the staging directory, the quality is unknown, you have been warned. [ 3.036508] [drm] VRAM 00800000 [ 3.036740] [TTM] Zone kernel: Available graphics memory: 247382 kiB [ 3.036741] [TTM] Initializing pool allocator [ 3.036745] [TTM] Initializing DMA pool allocator [ 3.039735] fbcon: vboxdrmfb (fb0) is primary device [ 3.048398] Console: switching to colour frame buffer device 100x37 [ 3.050592] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device [ 3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on minor 0 [ 3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 3.223529] Adding 1045500k swap on /dev/sda5. Priority:-2 extents:1 across:1045500k FS [ 5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX [ 5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 42.660726] sysrq: SysRq : [ 42.660728] This sysrq operation is disabled from userspace. [ 42.660797] Disabling Secure Boot restrictions [ 42.660830] Lifting lockdown ** Model information sys_vendor: innotek GmbH product_name: VirtualBox product_version: 1.2 chassis_vendor: Oracle Corporation chassis_version: bios_vendor: innotek GmbH bios_version: VirtualBox board_vendor: Oracle Corporation board_name: VirtualBox board_version: 1.2 ** Loaded modules: crct10dif_pclmul crc32_pclmul vboxvideo(C) ttm joydev drm_kms_helper ghash_clmulni_intel intel_rapl_perf drm evdev sg serio_raw pcspkr vboxguest battery ac video button ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb sd_mod crc32c_intel psmouse aesni_intel ahci libahci libata aes_x86_64 crypto_simd cryptd glue_helper scsi_mod e1000 i2c_piix4 floppy ** PCI devices: 00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02) Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- 00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000] Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0 00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef] (prog-if 00 [VGA controller]) Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Interrupt: pin A routed to IRQ 18 Region 0: Memory at e0000000 (32-bit, prefetchable) [size=8M] [virtual] Expansion ROM at 000c0000 [disabled] [size=128K] Kernel driver in use: vboxvideo Kernel modules: vboxvideo 00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02) Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e] Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64 (63750ns min) Interrupt: pin A routed to IRQ 19 Region 0: Memory at f0000000 (32-bit, non-prefetchable) [size=128K] Region 2: I/O ports at d000 [size=8] Capabilities: <access denied> Kernel driver in use: e1000 Kernel modules: e1000 00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox Guest Service [80ee:cafe] Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Interrupt: pin A routed to IRQ 20 Region 0: I/O ports at d020 [size=32] Region 1: Memory at f0400000 (32-bit, non-prefetchable) [size=4M] Region 2: Memory at f0800000 (32-bit, prefetchable) [size=16K] Kernel driver in use: vboxguest Kernel modules: vboxguest 00:07.0 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 08) Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Interrupt: pin A routed to IRQ 9 Kernel driver in use: piix4_smbus Kernel modules: i2c_piix4 00:0d.0 SATA controller [0106]: Intel Corporation 82801HM/HEM (ICH8M/ICH8M-E) SATA Controller [AHCI mode] [8086:2829] (rev 02) (prog-if 01 [AHCI 1.0]) Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 64 Interrupt: pin A routed to IRQ 21 Region 0: I/O ports at d040 [size=8] Region 1: I/O ports at d048 [size=4] Region 2: I/O ports at d050 [size=8] Region 3: I/O ports at d058 [size=4] Region 4: I/O ports at d060 [size=16] Region 5: Memory at f0804000 (32-bit, non-prefetchable) [size=8K] Capabilities: <access denied> Kernel driver in use: ahci Kernel modules: ahci ** USB devices: not available -- System Information: Debian Release: 10.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_CRAP Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages linux-image-4.19.0-6-amd64 depends on: ii initramfs-tools [linux-initramfs-tool] 0.133+deb10u1 ii kmod 26-1 ii linux-base 4.6 Versions of packages linux-image-4.19.0-6-amd64 recommends: ii apparmor 2.13.2-10 ii firmware-linux-free 3.4 Versions of packages linux-image-4.19.0-6-amd64 suggests: pn debian-kernel-handbook <none> ii grub-pc 2.02+dfsg1-20 pn linux-doc-4.19 <none> Versions of packages linux-image-4.19.0-6-amd64 is related to: pn firmware-amd-graphics <none> pn firmware-atheros <none> pn firmware-bnx2 <none> pn firmware-bnx2x <none> pn firmware-brcm80211 <none> pn firmware-cavium <none> pn firmware-intel-sound <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> pn firmware-iwlwifi <none> pn firmware-libertas <none> pn firmware-linux-nonfree <none> pn firmware-misc-nonfree <none> pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> pn firmware-realtek <none> pn firmware-samsung <none> pn firmware-siano <none> pn firmware-ti-connectivity <none> pn xen-hypervisor <none> -- no debconf information
