6a91557
From: Matthew Garrett <matthew.garrett@nebula.com>
6a91557
Date: Fri, 9 Aug 2013 03:33:56 -0400
6a91557
Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
6a91557
 loading restrictions
6a91557
6a91557
kexec permits the loading and execution of arbitrary code in ring 0, which
6a91557
is something that module signing enforcement is meant to prevent. It makes
6a91557
sense to disable kexec in this situation.
6a91557
6a91557
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
6a91557
---
6a91557
 kernel/kexec.c | 8 ++++++++
6a91557
 1 file changed, 8 insertions(+)
6a91557
6a91557
diff --git a/kernel/kexec.c b/kernel/kexec.c
7f1b8a8
index 2abf9f6e9a61..417bd0599024 100644
6a91557
--- a/kernel/kexec.c
6a91557
+++ b/kernel/kexec.c
6a91557
@@ -36,6 +36,7 @@
6a91557
 #include <linux/syscore_ops.h>
6a91557
 #include <linux/compiler.h>
6a91557
 #include <linux/hugetlb.h>
6a91557
+#include <linux/module.h>
6a91557
 
6a91557
 #include <asm/page.h>
6a91557
 #include <asm/uaccess.h>
27d7c47
@@ -1251,6 +1252,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
6a91557
 		return -EPERM;
6a91557
 
6a91557
 	/*
6a91557
+	 * kexec can be used to circumvent module loading restrictions, so
6a91557
+	 * prevent loading in that case
6a91557
+	 */
6a91557
+	if (secure_modules())
6a91557
+		return -EPERM;
6a91557
+
6a91557
+	/*
6a91557
 	 * Verify we have a legal set of flags
6a91557
 	 * This leaves us room for future extensions.
6a91557
 	 */
6a91557
-- 
1e63a38
2.1.0
6a91557