kexec_load: Disable at runtime if the kernel is locked down (7d31f460) · Commits · 戴 / test

The kexec_load() syscall permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable kexec_load() in this situation. This does not affect kexec_file_load() syscall which can check for a signature on the image to be booted. Signed-off-by:

David Howells <dhowells@redhat.com> Signed-off-by:

Matthew Garrett <mjg59@google.com> Acked-by:

Dave Young <dyoung@redhat.com> Reviewed-by:

Kees Cook <keescook@chromium.org> cc: kexec@lists.infradead.org Signed-off-by:

James Morris <jmorris@namei.org>

include/linux/security.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -105,6 +105,7 @@ enum lockdown_reason {
		LOCKDOWN_NONE,
		LOCKDOWN_MODULE_SIGNATURE,
		LOCKDOWN_DEV_MEM,
		LOCKDOWN_KEXEC,
		LOCKDOWN_INTEGRITY_MAX,
		LOCKDOWN_CONFIDENTIALITY_MAX,
		};

kernel/kexec.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -205,6 +205,14 @@ static inline int kexec_load_check(unsigned long nr_segments,
		if (result < 0)
		return result;

		/*
		* kexec can be used to circumvent module loading restrictions, so
		* prevent loading in that case
		*/
		result = security_locked_down(LOCKDOWN_KEXEC);
		if (result)
		return result;

		/*
		* Verify we have a legal set of flags
		* This leaves us room for future extensions.

security/lockdown/lockdown.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -20,6 +20,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
		[LOCKDOWN_NONE] = "none",
		[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
		[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
		[LOCKDOWN_KEXEC] = "kexec of unsigned images",
		[LOCKDOWN_INTEGRITY_MAX] = "integrity",
		[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
		};

Admin message