X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=kernel%2Fkexec.c;h=fce28bf7d5d7eb5db1f5060e78bfaa49bd6970e9;hb=dde1b0df007113bbefa04db7e6c7c500679132e8;hp=980936a90ee6ea0a9f83c195277a7c0705a8bbaa;hpb=787ad90332b3573d502a6c1aff52f708ca141976;p=mirror_ubuntu-zesty-kernel.git

diff --git a/kernel/kexec.c b/kernel/kexec.c
index 980936a90ee6..fce28bf7d5d7 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -12,6 +12,7 @@
 #include <linux/mm.h>
 #include <linux/file.h>
 #include <linux/kexec.h>
+#include <linux/module.h>
 #include <linux/mutex.h>
 #include <linux/list.h>
 #include <linux/syscalls.h>
@@ -193,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
 		return -EPERM;
 
+	/*
+	 * kexec can be used to circumvent module loading restrictions, so
+	 * prevent loading in that case
+	 */
+	if (secure_modules())
+		return -EPERM;
+
 	/*
 	 * Verify we have a legal set of flags
 	 * This leaves us room for future extensions.