diff options
| author | Seth Forshee <seth.forshee@canonical.com> | 2019-11-05 14:35:04 -0600 |
|---|---|---|
| committer | Stefan Bader <stefan.bader@canonical.com> | 2019-11-12 19:04:39 +0100 |
| commit | 1c59aeeaa09d42c7718bfdd2e1f7612987dae561 (patch) | |
| tree | 1b859be144dff298962fd205f9f7802627f09446 | |
| parent | 73796cba5898d2d1106866239d1bbf72beca9cab (diff) | |
UBUNTU: SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace
BugLink: https://bugs.launchpad.net/bugs/1851380
"UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
lockdown" adds a sysrq key to lift kernel lockdown, which is
meant to only allow a physically present user to lift lockdown
using a keyboard. However, the code has a bug which also allows
root to lift lockdown through /proc/sysrq-trigger. Fix this bug
to make this work as intended.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Connor Kuehl <connor.kuehl@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
| -rw-r--r-- | drivers/tty/sysrq.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c index 7c06541..f720039 100644 --- a/drivers/tty/sysrq.c +++ b/drivers/tty/sysrq.c @@ -553,13 +553,13 @@ void __handle_sysrq(int key, unsigned int from) if (op_p) { /* Ban synthetic events from some sysrq functionality */ if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) && - op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) + op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) { printk("This sysrq operation is disabled from userspace.\n"); - /* - * Should we check for enabled operations (/proc/sysrq-trigger - * should not) and is the invoked operation enabled? - */ - if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { + } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) { + /* + * Should we check for enabled operations (/proc/sysrq-trigger + * should not) and is the invoked operation enabled? + */ pr_cont("%s\n", op_p->action_msg); console_loglevel = orig_log_level; op_p->handler(key); |
