kexec: Disable at runtime if the kernel enforces module loading restrictions

kexec permits the loading and execution of arbitrary code in ring 0, which
is something that module signing enforcement is meant to prevent. It makes
sense to disable kexec in this situation.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>

diff --git a/kernel/kexec.c b/kernel/kexec.c
index a785c1015e25bf1ecacd3a6d92956e3e630e7f37..81d6b404f33c6bc87e5236937192ba7dd91d72c5 100644 (file)
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -36,6 +36,7 @@
 #include <linux/syscore_ops.h>
 #include <linux/compiler.h>
 #include <linux/hugetlb.h>
+#include <linux/module.h>
 
 #include <asm/page.h>
 #include <asm/uaccess.h>
@@ -1257,6 +1258,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
        if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
                return -EPERM;
 
+       /*
+        * kexec can be used to circumvent module loading restrictions, so
+        * prevent loading in that case
+        */
+       if (secure_modules())
+               return -EPERM;
+
        /*
         * Verify we have a legal set of flags
         * This leaves us room for future extensions.