[PATCH 2/2][SRU][E] UBUNTU: SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace
Seth Forshee
seth.forshee at canonical.com
Tue Nov 5 20:35:05 UTC 2019
BugLink: https://bugs.launchpad.net/bugs/1851380
"UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
lockdown" adds a sysrq key to lift kernel lockdown, which is
meant to only allow a physically present user to lift lockdown
using a keyboard. However, the code has a bug which also allows
root to lift lockdown through /proc/sysrq-trigger. Fix this bug
to make this work as intended.
Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
---
drivers/tty/sysrq.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 7cc95a8bdf8d..99082faafc44 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -549,13 +549,13 @@ void __handle_sysrq(int key, unsigned int from)
if (op_p) {
/* Ban synthetic events from some sysrq functionality */
if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
- op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+ op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {
printk("This sysrq operation is disabled from userspace.\n");
- /*
- * Should we check for enabled operations (/proc/sysrq-trigger
- * should not) and is the invoked operation enabled?
- */
- if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+ } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+ /*
+ * Should we check for enabled operations (/proc/sysrq-trigger
+ * should not) and is the invoked operation enabled?
+ */
pr_info("%s\n", op_p->action_msg);
console_loglevel = orig_log_level;
op_p->handler(key);
--
2.20.1
More information about the kernel-team
mailing list