79bc7c2
From 53519eb288a4fa0e852700173b54a200e7928643 Mon Sep 17 00:00:00 2001
6a91557
From: Matthew Garrett <matthew.garrett@nebula.com>
6a91557
Date: Fri, 9 Aug 2013 03:33:56 -0400
6a91557
Subject: [PATCH] kexec: Disable at runtime if the kernel enforces module
6a91557
 loading restrictions
6a91557
6a91557
kexec permits the loading and execution of arbitrary code in ring 0, which
6a91557
is something that module signing enforcement is meant to prevent. It makes
6a91557
sense to disable kexec in this situation.
6a91557
6a91557
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
6a91557
---
6a91557
 kernel/kexec.c | 8 ++++++++
6a91557
 1 file changed, 8 insertions(+)
6a91557
6a91557
diff --git a/kernel/kexec.c b/kernel/kexec.c
6a91557
index 0b49a0a58102..8e649f7c22e1 100644
6a91557
--- a/kernel/kexec.c
6a91557
+++ b/kernel/kexec.c
6a91557
@@ -36,6 +36,7 @@
6a91557
 #include <linux/syscore_ops.h>
6a91557
 #include <linux/compiler.h>
6a91557
 #include <linux/hugetlb.h>
6a91557
+#include <linux/module.h>
6a91557
 
6a91557
 #include <asm/page.h>
6a91557
 #include <asm/uaccess.h>
6a91557
@@ -1245,6 +1246,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
6a91557
 		return -EPERM;
6a91557
 
6a91557
 	/*
6a91557
+	 * kexec can be used to circumvent module loading restrictions, so
6a91557
+	 * prevent loading in that case
6a91557
+	 */
6a91557
+	if (secure_modules())
6a91557
+		return -EPERM;
6a91557
+
6a91557
+	/*
6a91557
 	 * Verify we have a legal set of flags
6a91557
 	 * This leaves us room for future extensions.
6a91557
 	 */
6a91557
-- 
6a91557
1.9.3
6a91557