1 files changed, 40 insertions, 0 deletions

diff --git a/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch b/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch
new file mode 100644
index 000000000..056936427
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0008-kexec_file-Restrict-at-runtime-if-the-kernel-is-lock.patch
@@ -0,0 +1,40 @@
+From: Chun-Yi Lee <joeyli.kernel@gmail.com>
+Date: Wed, 8 Nov 2017 15:11:33 +0000
+Subject: [08/29] kexec_file: Restrict at runtime if the kernel is locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=eed4aca0409692d7d24bc64f5c98d346cd0506c4
+
+When KEXEC_VERIFY_SIG is not enabled, kernel should not load images through
+kexec_file systemcall if the kernel is locked down unless IMA can be used
+to validate the image.
+
+This code was showed in Matthew's patch but not in git:
+https://lkml.org/lkml/2015/3/13/778
+
+Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+Signed-off-by: Chun-Yi Lee <jlee@suse.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+cc: kexec@lists.infradead.org
+---
+ kernel/kexec_file.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: linux/kernel/kexec_file.c
+===================================================================
+--- linux.orig/kernel/kexec_file.c
++++ linux/kernel/kexec_file.c
+@@ -328,6 +328,14 @@ SYSCALL_DEFINE5(kexec_file_load, int, ke
+ 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
+ 		return -EPERM;
+ 
++	/* Don't permit images to be loaded into trusted kernels if we're not
++	 * going to verify the signature on them
++	 */
++	if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
++	    !is_ima_appraise_enabled() &&
++	    kernel_is_locked_down("kexec of unsigned images"))
++		return -EPERM;
++
+ 	/* Make sure we have a legal set of flags */
+ 	if (flags != (flags & KEXEC_FILE_FLAGS))
+ 		return -EINVAL;