APPLIED: [PATCH 0/2][SRU][B/D/E] Don't allow lifting of lockdown via /proc/sysrq-trigger
Khaled Elmously
khalid.elmously at canonical.com
Thu Nov 7 01:06:27 UTC 2019
On 2019-11-05 14:35:03 , Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1851380
>
> SRU Justification
>
> Impact: The kernel lockdown support adds a sysrq to allow a physically
> present user to disable lockdown from the keyboard. A bug in the
> implementation makes it possible to also lift lockdown by writing to
> /proc/sysrq-trigger.
>
> Fix: Correct the logic to disallow disabling lockdown via
> /proc/sysrq-trigger.
>
> Test Case: Write "x" to /proc/sysrq-trigger. When working properly there
> should be no messages in dmesg about lifting lockdown, and lockdown
> restrictions (e.g. loading unsigned modules) should remain in effect.
>
> Regression Potential: Anyone using /proc/sysrq-trigger to disable
> lockdown will no longer be able to do so. Implementation bugs could
> prevent use of the sysrq from the keyboard from disabling lockdown, but
> this has been confrimed to still work with the fix in place.
>
> Note that xenial uses an older implementation of these patches which
> does not have any sysrq mechanism for lifting lockdown, and thus it is
> not affected.
>
> Thanks,
> Seth
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list