Skip to content

Commit

Permalink
kexec_file: Restrict at runtime if the kernel is locked down
Browse files Browse the repository at this point in the history
When KEXEC_SIG is not enabled, kernel should not load images through
kexec_file systemcall if the kernel is locked down.

[Modified by David Howells to fit with modifications to the previous patch
 and to return -EPERM if the kernel is locked down for consistency with
 other lockdowns. Modified by Matthew Garrett to remove the IMA
 integration, which will be replaced by integrating with the IMA
 architecture policy patches.]

Signed-off-by: Jiri Bohac <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: Matthew Garrett <[email protected]>
cc: [email protected]
Signed-off-by: James Morris <[email protected]>
jiribohac authored and James Morris committed Aug 20, 2019

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 99d5cad commit 155bdd3
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion kernel/kexec_file.c
Original file line number Diff line number Diff line change
@@ -208,7 +208,7 @@ kimage_validate_signature(struct kimage *image)
return ret;
}

return 0;
return security_locked_down(LOCKDOWN_KEXEC);

/* All other errors are fatal, including nomem, unparseable
* signatures and signature check failures - even if signatures

0 comments on commit 155bdd3

Please sign in to comment.