kernel-packages team mailing list archive

Thread
Date

[Bug 1259570] Re: kexec should get a disabling sysctl

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Brad Figg <brad.figg@xxxxxxxxxxxxx>
Date: Mon, 24 Feb 2014 15:27:45 -0000
Reply-to: Bug 1259570 <1259570@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
saucy' to 'verification-done-saucy'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-saucy

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1259570

Title:
  kexec should get a disabling sysctl

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux” source package in Precise:
  Won't Fix
Status in “linux-lts-saucy” source package in Precise:
  Fix Committed
Status in “linux” source package in Quantal:
  Won't Fix
Status in “linux-lts-saucy” source package in Quantal:
  Invalid
Status in “linux” source package in Raring:
  Invalid
Status in “linux-lts-saucy” source package in Raring:
  Invalid
Status in “linux” source package in Saucy:
  Fix Committed
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux-lts-saucy” source package in Trusty:
  Invalid

Bug description:
  To enable kexec makes sense for a generic distro kernel. But if your
  users have root in their virtual machines, and you want to make it
  hard for them to run code in ring 0, you commonly disable further
  module loading and you also want to disable kexec[1]. Kees Cook wrote
  up a patch[2] that we'd like to see applied to the Ubuntu kernel to
  avoid recompilation of the distro kernel.

  I'm marking this as a security issue on the ground that it's quite
  surprising that setting kernel.modules_disabled=1 as a hardening
  feature can be subverted by using kexec.

  [1] http://mjg59.dreamwidth.org/28746.html
  [2] https://lkml.org/lkml/2013/12/9/765

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1259570/+subscriptions

References

[Bug 1259570] [NEW] kexec should get a disabling sysctl
From: Philipp Kern, 2013-12-10