[PATCH 1/1][SRU][B/D] UBUNTU: SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace

Seth Forshee seth.forshee at canonical.com
Tue Nov 5 20:35:04 UTC 2019


BugLink: https://bugs.launchpad.net/bugs/1851380

"UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
lockdown" adds a sysrq key to lift kernel lockdown, which is
meant to only allow a physically present user to lift lockdown
using a keyboard. However, the code has a bug which also allows
root to lift lockdown through /proc/sysrq-trigger. Fix this bug
to make this work as intended.

Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
---
 drivers/tty/sysrq.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 7c06541b422e..f72003937717 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -553,13 +553,13 @@ void __handle_sysrq(int key, unsigned int from)
         if (op_p) {
 		/* Ban synthetic events from some sysrq functionality */
 		if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
-		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+		    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {
 			printk("This sysrq operation is disabled from userspace.\n");
-		/*
-		 * Should we check for enabled operations (/proc/sysrq-trigger
-		 * should not) and is the invoked operation enabled?
-		 */
-		if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+		} else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+			/*
+			 * Should we check for enabled operations (/proc/sysrq-trigger
+			 * should not) and is the invoked operation enabled?
+			 */
 			pr_cont("%s\n", op_p->action_msg);
 			console_loglevel = orig_log_level;
 			op_p->handler(key);
-- 
2.20.1




More information about the kernel-team mailing list