kernel-packages team mailing list archive

[Philipp Kern <pkern@xxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

To enable kexec makes sense for a generic distro kernel. But if your
users have root and you want to make it hard for them to run code in
ring 0, you commonly disable further module loading and you also want to
disable kexec[1]. Kees Cook wrote up a patch[2] that we'd like to see
applied to the Ubuntu kernel to avoid recompilation of the distro
kernel.

I'm marking this as a security issue on the ground that it's quite
surprising that setting kernel.modules_disabled=1 as a hardening feature
can be subverted by using kexec.

[1] http://mjg59.dreamwidth.org/28746.html
[2] https://lkml.org/lkml/2013/12/9/765

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Incomplete

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1259570

Title:
  kexec should get a disabling sysctl

Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  To enable kexec makes sense for a generic distro kernel. But if your
  users have root and you want to make it hard for them to run code in
  ring 0, you commonly disable further module loading and you also want
  to disable kexec[1]. Kees Cook wrote up a patch[2] that we'd like to
  see applied to the Ubuntu kernel to avoid recompilation of the distro
  kernel.

  I'm marking this as a security issue on the ground that it's quite
  surprising that setting kernel.modules_disabled=1 as a hardening
  feature can be subverted by using kexec.

  [1] http://mjg59.dreamwidth.org/28746.html
  [2] https://lkml.org/lkml/2013/12/9/765

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1259570/+subscriptions