[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 012/117] gdb: Restrict GDB access when locked down
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 012/117] gdb: Restrict GDB access when locked down |
Date: |
Tue, 2 Mar 2021 19:00:19 +0100 |
From: Javier Martinez Canillas <javierm@redhat.com>
The gdbstub* commands allow to start and control a GDB stub running on
local host that can be used to connect from a remote debugger. Restrict
this functionality when the GRUB is locked down.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
index 847a1e1e3..1818cb6f8 100644
--- a/grub-core/gdb/gdb.c
+++ b/grub-core/gdb/gdb.c
@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
GRUB_MOD_INIT (gdb)
{
grub_gdb_idtinit ();
- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
- N_("PORT"),
- /* TRANSLATORS: GDB stub is a small part of
- GDB functionality running on local host
- which allows remote debugger to
- connect to it. */
- N_("Start GDB stub on given port"));
- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
- /* TRANSLATORS: this refers to triggering
- a breakpoint so that the user will land
- into GDB. */
- 0, N_("Break into GDB"));
- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
- 0, N_("Stop GDB stub"));
+ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
+ N_("PORT"),
+ /*
+ * TRANSLATORS: GDB stub is a small
part of
+ * GDB functionality running on local
host
+ * which allows remote debugger to
+ * connect to it.
+ */
+ N_("Start GDB stub on given port"));
+ cmd_break = grub_register_command_lockdown ("gdbstub_break",
grub_cmd_gdb_break,
+ /*
+ * TRANSLATORS: this refers to
triggering
+ * a breakpoint so that the user
will land
+ * into GDB.
+ */
+ 0, N_("Break into GDB"));
+ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
+ 0, N_("Stop GDB stub"));
}
GRUB_MOD_FINI (gdb)
--
2.11.0
- Re: [SECURITY PATCH 001/117] verifiers: Move verifiers API to kernel image, (continued)
- [SECURITY PATCH 002/117] efi: Move the shim_lock verifier to the GRUB core, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 004/117] kern/lockdown: Set a variable if the GRUB is locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 005/117] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 003/117] kern: Add lockdown support, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 006/117] efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 008/117] mmap: Don't register cutmem and badram commands when lockdown is enforced, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 007/117] acpi: Don't register the acpi command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 009/117] commands: Restrict commands that can load BIOS or DT blobs when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 010/117] commands/setpci: Restrict setpci command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 012/117] gdb: Restrict GDB access when locked down,
Daniel Kiper <=
- [SECURITY PATCH 015/117] dl: Only allow unloading modules that are not dependencies, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 013/117] loader/xnu: Don't allow loading extension and packages when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 011/117] commands/hdparm: Restrict hdparm command when locked down, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 014/117] docs: Document the cutmem command, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 021/117] kern/efi: Fix memory leak on failure, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 019/117] net/tftp: Fix dangling memory pointer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 018/117] net/net: Fix possible dereference to of a NULL pointer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 024/117] gnulib/regcomp: Fix uninitialized token structure, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 020/117] kern/parser: Fix resource leak if argc == 0, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 022/117] kern/efi/mm: Fix possible NULL pointer dereference, Daniel Kiper, 2021/03/02