]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
UBUNTU: SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace
authorSeth Forshee <seth.forshee@canonical.com>
Tue, 5 Nov 2019 20:35:05 +0000 (14:35 -0600)
committerStefan Bader <stefan.bader@canonical.com>
Tue, 12 Nov 2019 17:47:01 +0000 (18:47 +0100)
BugLink: https://bugs.launchpad.net/bugs/1851380
"UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
lockdown" adds a sysrq key to lift kernel lockdown, which is
meant to only allow a physically present user to lift lockdown
using a keyboard. However, the code has a bug which also allows
root to lift lockdown through /proc/sysrq-trigger. Fix this bug
to make this work as intended.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Connor Kuehl <connor.kuehl@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
drivers/tty/sysrq.c

index 7cc95a8bdf8d3138e302228de2c3a5265ed28fae..99082faafc444ff6dcc53ea46df9c70fbaa9c70b 100644 (file)
@@ -549,13 +549,13 @@ void __handle_sysrq(int key, unsigned int from)
         if (op_p) {
                /* Ban synthetic events from some sysrq functionality */
                if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
-                   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+                   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {
                        printk("This sysrq operation is disabled from userspace.\n");
-               /*
-                * Should we check for enabled operations (/proc/sysrq-trigger
-                * should not) and is the invoked operation enabled?
-                */
-               if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+               } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+                       /*
+                        * Should we check for enabled operations (/proc/sysrq-trigger
+                        * should not) and is the invoked operation enabled?
+                        */
                        pr_info("%s\n", op_p->action_msg);
                        console_loglevel = orig_log_level;
                        op_p->handler(key);