kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #44050
[Bug 1259570] Re: kexec should get a disabling sysctl
** Changed in: linux (Ubuntu Precise)
Status: New => Won't Fix
** Changed in: linux (Ubuntu Quantal)
Status: New => Won't Fix
** Changed in: linux (Ubuntu Raring)
Status: New => Won't Fix
** Changed in: linux (Ubuntu Saucy)
Status: New => In Progress
** Changed in: linux (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Saucy)
Assignee: (unassigned) => Andy Whitcroft (apw)
** Also affects: linux-lts-saucy (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux-lts-saucy (Ubuntu Quantal)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Raring)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux (Ubuntu Raring)
Status: Won't Fix => Invalid
** Changed in: linux-lts-saucy (Ubuntu Precise)
Status: New => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1259570
Title:
kexec should get a disabling sysctl
Status in “linux” package in Ubuntu:
Fix Committed
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux” source package in Precise:
Won't Fix
Status in “linux-lts-saucy” source package in Precise:
In Progress
Status in “linux” source package in Quantal:
Won't Fix
Status in “linux-lts-saucy” source package in Quantal:
Invalid
Status in “linux” source package in Raring:
Invalid
Status in “linux-lts-saucy” source package in Raring:
Invalid
Status in “linux” source package in Saucy:
In Progress
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux” source package in Trusty:
Fix Committed
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Bug description:
To enable kexec makes sense for a generic distro kernel. But if your
users have root in their virtual machines, and you want to make it
hard for them to run code in ring 0, you commonly disable further
module loading and you also want to disable kexec[1]. Kees Cook wrote
up a patch[2] that we'd like to see applied to the Ubuntu kernel to
avoid recompilation of the distro kernel.
I'm marking this as a security issue on the ground that it's quite
surprising that setting kernel.modules_disabled=1 as a hardening
feature can be subverted by using kexec.
[1] http://mjg59.dreamwidth.org/28746.html
[2] https://lkml.org/lkml/2013/12/9/765
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1259570/+subscriptions
References