← Back to team overview

kernel-packages team mailing list archive

[Bug 1259570] Re: kexec should get a disabling sysctl

 

** Changed in: linux (Ubuntu Precise)
       Status: New => Won't Fix

** Changed in: linux (Ubuntu Quantal)
       Status: New => Won't Fix

** Changed in: linux (Ubuntu Raring)
       Status: New => Won't Fix

** Changed in: linux (Ubuntu Saucy)
       Status: New => In Progress

** Changed in: linux (Ubuntu Saucy)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Saucy)
     Assignee: (unassigned) => Andy Whitcroft (apw)

** Also affects: linux-lts-saucy (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: linux-lts-saucy (Ubuntu Quantal)
       Status: New => Invalid

** Changed in: linux-lts-saucy (Ubuntu Trusty)
       Status: New => Invalid

** Changed in: linux-lts-saucy (Ubuntu Raring)
       Status: New => Invalid

** Changed in: linux-lts-saucy (Ubuntu Saucy)
       Status: New => Invalid

** Changed in: linux (Ubuntu Raring)
       Status: Won't Fix => Invalid

** Changed in: linux-lts-saucy (Ubuntu Precise)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1259570

Title:
  kexec should get a disabling sysctl

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux” source package in Precise:
  Won't Fix
Status in “linux-lts-saucy” source package in Precise:
  In Progress
Status in “linux” source package in Quantal:
  Won't Fix
Status in “linux-lts-saucy” source package in Quantal:
  Invalid
Status in “linux” source package in Raring:
  Invalid
Status in “linux-lts-saucy” source package in Raring:
  Invalid
Status in “linux” source package in Saucy:
  In Progress
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux” source package in Trusty:
  Fix Committed
Status in “linux-lts-saucy” source package in Trusty:
  Invalid

Bug description:
  To enable kexec makes sense for a generic distro kernel. But if your
  users have root in their virtual machines, and you want to make it
  hard for them to run code in ring 0, you commonly disable further
  module loading and you also want to disable kexec[1]. Kees Cook wrote
  up a patch[2] that we'd like to see applied to the Ubuntu kernel to
  avoid recompilation of the distro kernel.

  I'm marking this as a security issue on the ground that it's quite
  surprising that setting kernel.modules_disabled=1 as a hardening
  feature can be subverted by using kexec.

  [1] http://mjg59.dreamwidth.org/28746.html
  [2] https://lkml.org/lkml/2013/12/9/765

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1259570/+subscriptions


References