----- Original Message ----- > From: "Matthew Garrett" <matthew.garrett@xxxxxxxxxx> > To: linux-kernel@xxxxxxxxxxxxxxx > Cc: linux-efi@xxxxxxxxxxxxxxx, jwboyer@xxxxxxxxxx, keescook@xxxxxxxxxxxx, "Matthew Garrett" > <matthew.garrett@xxxxxxxxxx> > Sent: Monday, August 19, 2013 1:26:09 PM > Subject: [PATCH V2 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions > > kexec permits the loading and execution of arbitrary code in ring 0, which > is something that module signing enforcement is meant to prevent. It makes > sense to disable kexec in this situation. > > Signed-off-by: Matthew Garrett <matthew.garrett@xxxxxxxxxx> > --- > kernel/kexec.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/kernel/kexec.c b/kernel/kexec.c > index 59f7b55..1a7690f 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -32,6 +32,7 @@ > #include <linux/vmalloc.h> > #include <linux/swap.h> > #include <linux/syscore_ops.h> > +#include <linux/module.h> > > #include <asm/page.h> > #include <asm/uaccess.h> > @@ -1645,6 +1646,9 @@ int kernel_kexec(void) > goto Unlock; > } > > + if (secure_modules()) > + return -EPERM; > + > #ifdef CONFIG_KEXEC_JUMP > if (kexec_image->preserve_context) { > lock_system_sleep(); > -- > 1.8.3.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > Shouldn't that be: + if (secure_modules()) { + error = -EPERM; + goto Unlock; + } -Lenny. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html