From 2124110d2db61f45a90cf20914505481bd9b111a Mon Sep 17 00:00:00 2001 From: Seth Forshee Date: Tue, 5 Nov 2019 14:35:05 -0600 Subject: [PATCH] UBUNTU: SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace BugLink: https://bugs.launchpad.net/bugs/1851380 "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel lockdown" adds a sysrq key to lift kernel lockdown, which is meant to only allow a physically present user to lift lockdown using a keyboard. However, the code has a bug which also allows root to lift lockdown through /proc/sysrq-trigger. Fix this bug to make this work as intended. Signed-off-by: Seth Forshee Acked-by: Connor Kuehl Acked-by: Tyler Hicks Signed-off-by: Khalid Elmously --- drivers/tty/sysrq.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c index 7cc95a8bdf8d..99082faafc44 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c @@ -549,13 +549,13 @@ void __handle_sysrq(int key, unsigned int from) if (op_p) { /* Ban synthetic events from some sysrq functionality */ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && - op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) + op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) { printk("This sysrq operation is disabled from userspace.\n"); - /* - * Should we check for enabled operations (/proc/sysrq-trigger - * should not) and is the invoked operation enabled? - */ - if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { + } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { + /* + * Should we check for enabled operations (/proc/sysrq-trigger + * should not) and is the invoked operation enabled? + */ pr_info("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); -- 2.39.5