]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commitdiff
projects / mirror_ubuntu-bionic-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 73796cb)
UBUNTU: SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace
authorSeth Forshee <seth.forshee@canonical.com>
Tue, 5 Nov 2019 20:35:04 +0000 (14:35 -0600)
committerStefan Bader <stefan.bader@canonical.com>
Tue, 12 Nov 2019 18:04:39 +0000 (19:04 +0100)
BugLink: https://bugs.launchpad.net/bugs/1851380
"UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
lockdown" adds a sysrq key to lift kernel lockdown, which is
meant to only allow a physically present user to lift lockdown
using a keyboard. However, the code has a bug which also allows
root to lift lockdown through /proc/sysrq-trigger. Fix this bug
to make this work as intended.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Connor Kuehl <connor.kuehl@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
drivers/tty/sysrq.c patch | blob | blame | history

diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 7c06541b422e6f3d12747eae2211794445e526ba..f7200393771727c27088695f53183d1c1dee2621 100644 (file)
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -553,13 +553,13 @@ void __handle_sysrq(int key, unsigned int from)
         if (op_p) {
                /* Ban synthetic events from some sysrq functionality */
                if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
-                   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+                   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {
                        printk("This sysrq operation is disabled from userspace.\n");
-               /*
-                * Should we check for enabled operations (/proc/sysrq-trigger
-                * should not) and is the invoked operation enabled?
-                */
-               if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+               } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
+                       /*
+                        * Should we check for enabled operations (/proc/sysrq-trigger
+                        * should not) and is the invoked operation enabled?
+                        */
                        pr_cont("%s\n", op_p->action_msg);
                        console_loglevel = orig_log_level;
                        op_p->handler(key);
ubuntu-bionic-kernel mirror