kexec_load: Disable at runtime if the kernel is locked down
The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Dave Young <dyoung@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> cc: kexec@lists.infradead.org Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
9b9d8dda1e
commit
7d31f4602f
|
@ -105,6 +105,7 @@ enum lockdown_reason {
|
|||
LOCKDOWN_NONE,
|
||||
LOCKDOWN_MODULE_SIGNATURE,
|
||||
LOCKDOWN_DEV_MEM,
|
||||
LOCKDOWN_KEXEC,
|
||||
LOCKDOWN_INTEGRITY_MAX,
|
||||
LOCKDOWN_CONFIDENTIALITY_MAX,
|
||||
};
|
||||
|
|
|
@ -205,6 +205,14 @@ static inline int kexec_load_check(unsigned long nr_segments,
|
|||
if (result < 0)
|
||||
return result;
|
||||
|
||||
/*
|
||||
* kexec can be used to circumvent module loading restrictions, so
|
||||
* prevent loading in that case
|
||||
*/
|
||||
result = security_locked_down(LOCKDOWN_KEXEC);
|
||||
if (result)
|
||||
return result;
|
||||
|
||||
/*
|
||||
* Verify we have a legal set of flags
|
||||
* This leaves us room for future extensions.
|
||||
|
|
|
@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
|
|||
[LOCKDOWN_NONE] = "none",
|
||||
[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
|
||||
[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
|
||||
[LOCKDOWN_KEXEC] = "kexec of unsigned images",
|
||||
[LOCKDOWN_INTEGRITY_MAX] = "integrity",
|
||||
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue