git: e3e8ec2ab620 - main - kexec: Disallow kexec_load if securelevel > 0

From: Justin Hibbits <jhibbits_at_FreeBSD.org>
Date: Wed, 22 Apr 2026 16:30:00 UTC 
The branch main has been updated by jhibbits:

URL: https://cgit.FreeBSD.org/src/commit/?id=e3e8ec2ab620f026b42b4988fce49eff7cec16eb

commit e3e8ec2ab620f026b42b4988fce49eff7cec16eb
Author:     Justin Hibbits <jhibbits@FreeBSD.org>
AuthorDate: 2026-04-22 15:51:06 +0000
Commit:     Justin Hibbits <jhibbits@FreeBSD.org>
CommitDate: 2026-04-22 16:28:54 +0000

    kexec: Disallow kexec_load if securelevel > 0
    
    kexec_load() + reboot is intended to be equivalent to a system reboot.
    However kexec_load() can load arbitrary data as the target kernel,
    leading to execution of arbitrary code, even though it's effectively in
    a new context.  Rather than being equivalent to a system reboot, it's
    also equivalent to kldload(), which loads arbitrary code into the
    running kernel.  Since kldload() is blocked at securelevel 1, also block
    kexec_load().
    
    Reported by:    markj
    Fixes:          e02c57ff3 ("kern: Introduce kexec system feature (MI)")
    Sponsored by:   Hewlett Packard Enterprise
    Differential Revision:  https://reviews.freebsd.org/D56580
---
 sys/kern/kern_kexec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/kern/kern_kexec.c b/sys/kern/kern_kexec.c
index 86ee9da9a606..5ba76512e963 100644
--- a/sys/kern/kern_kexec.c
+++ b/sys/kern/kern_kexec.c
@@ -342,6 +342,9 @@ sys_kexec_load(struct thread *td, struct kexec_load_args *uap)
 {
 	int error;
 
+	error = securelevel_gt(td->td_ucred, 0);
+	if (error != 0)
+		return (error);
 	// FIXME: Do w need a better privilege check than PRIV_REBOOT here?
 	error = priv_check(td, PRIV_REBOOT);
 	if (error != 0)