From a44d2968968fd667c8cbeba7c043f674d17e7ce7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <[email protected]> Date: Mon, 19 Aug 2013 13:26:09 -0400 Subject: [PATCH 09/13] kexec: Disable at runtime if the kernel enforces module loading restrictions
kexec permits the loading and execution of arbitrary code in ring 0, which is something that module signing enforcement is meant to prevent. It makes sense to disable kexec in this situation. Signed-off-by: Matthew Garrett <[email protected]> --- kernel/kexec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c index 59f7b55..1a7690f 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -32,6 +32,7 @@ #include <linux/vmalloc.h> #include <linux/swap.h> #include <linux/syscore_ops.h> +#include <linux/module.h> #include <asm/page.h> #include <asm/uaccess.h> @@ -1645,6 +1646,9 @@ int kernel_kexec(void) goto Unlock; } + if (secure_modules()) + return -EPERM; + #ifdef CONFIG_KEXEC_JUMP if (kexec_image->preserve_context) { lock_system_sleep(); -- 1.8.3.1 _______________________________________________ kernel mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/kernel
