More discussion (thanks to Louis Bouchard for link): http://lists.infradead.org/pipermail/kexec/2013-December/010571.html
Patch v3: http://lists.infradead.org/pipermail/kexec/2013-December/010606.html -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1259570 Title: kexec should get a disabling sysctl Status in “linux” package in Ubuntu: Confirmed Status in “linux” source package in Precise: Confirmed Status in “linux” source package in Quantal: New Status in “linux” source package in Raring: New Status in “linux” source package in Saucy: New Status in “linux” source package in Trusty: Confirmed Bug description: To enable kexec makes sense for a generic distro kernel. But if your users have root in their virtual machines, and you want to make it hard for them to run code in ring 0, you commonly disable further module loading and you also want to disable kexec[1]. Kees Cook wrote up a patch[2] that we'd like to see applied to the Ubuntu kernel to avoid recompilation of the distro kernel. I'm marking this as a security issue on the ground that it's quite surprising that setting kernel.modules_disabled=1 as a hardening feature can be subverted by using kexec. [1] http://mjg59.dreamwidth.org/28746.html [2] https://lkml.org/lkml/2013/12/9/765 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1259570/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
