kexec should get a disabling sysctl
Bug #1259570 reported by
Philipp Kern
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Precise |
Won't Fix
|
Medium
|
Unassigned | ||
Quantal |
Won't Fix
|
Undecided
|
Unassigned | ||
Raring |
Invalid
|
Undecided
|
Unassigned | ||
Saucy |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Trusty |
Fix Released
|
Medium
|
Andy Whitcroft | ||
linux-lts-saucy (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Invalid
|
Undecided
|
Unassigned | ||
Raring |
Invalid
|
Undecided
|
Unassigned | ||
Saucy |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Unassigned |
Bug Description
To enable kexec makes sense for a generic distro kernel. But if your users have root in their virtual machines, and you want to make it hard for them to run code in ring 0, you commonly disable further module loading and you also want to disable kexec[1]. Kees Cook wrote up a patch[2] that we'd like to see applied to the Ubuntu kernel to avoid recompilation of the distro kernel.
I'm marking this as a security issue on the ground that it's quite surprising that setting kernel.
[1] http://
[2] https:/
CVE References
information type: | Private Security → Public Security |
Changed in linux (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
tags: | added: rls-t-incoming |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: trusty |
Changed in linux (Ubuntu Precise): | |
assignee: | Tyler Hicks (tyhicks) → nobody |
status: | Confirmed → New |
Changed in linux (Ubuntu Precise): | |
status: | New → Won't Fix |
Changed in linux (Ubuntu Quantal): | |
status: | New → Won't Fix |
Changed in linux (Ubuntu Raring): | |
status: | New → Won't Fix |
Changed in linux (Ubuntu Saucy): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in linux-lts-saucy (Ubuntu Quantal): | |
status: | New → Invalid |
Changed in linux-lts-saucy (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-lts-saucy (Ubuntu Raring): | |
status: | New → Invalid |
Changed in linux-lts-saucy (Ubuntu Saucy): | |
status: | New → Invalid |
Changed in linux (Ubuntu Raring): | |
status: | Won't Fix → Invalid |
Changed in linux-lts-saucy (Ubuntu Precise): | |
assignee: | nobody → Andy Whitcroft (apw) |
status: | New → In Progress |
assignee: | Andy Whitcroft (apw) → nobody |
Changed in linux (Ubuntu Saucy): | |
status: | In Progress → Fix Committed |
Changed in linux-lts-saucy (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1259570
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.