ACK: [PATCH 0/2][SRU][B/D/E] Don't allow lifting of lockdown via /proc/sysrq-trigger
Connor Kuehl
connor.kuehl at canonical.com
Tue Nov 5 22:06:27 UTC 2019
On 11/5/19 12:35 PM, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1851380
>
> SRU Justification
>
> Impact: The kernel lockdown support adds a sysrq to allow a physically
> present user to disable lockdown from the keyboard. A bug in the
> implementation makes it possible to also lift lockdown by writing to
> /proc/sysrq-trigger.
>
> Fix: Correct the logic to disallow disabling lockdown via
> /proc/sysrq-trigger.
>
> Test Case: Write "x" to /proc/sysrq-trigger. When working properly there
> should be no messages in dmesg about lifting lockdown, and lockdown
> restrictions (e.g. loading unsigned modules) should remain in effect.
>
> Regression Potential: Anyone using /proc/sysrq-trigger to disable
> lockdown will no longer be able to do so. Implementation bugs could
> prevent use of the sysrq from the keyboard from disabling lockdown, but
> this has been confrimed to still work with the fix in place.
>
> Note that xenial uses an older implementation of these patches which
> does not have any sysrq mechanism for lifting lockdown, and thus it is
> not affected.
>
> Thanks,
> Seth
>
Acked-by: Connor Kuehl <connor.kuehl at canonical.com>
More information about the kernel-team
mailing list