diff options
| author | Jeff Vander Stoep <jeffv@google.com> | 2016-04-05 13:06:27 -0700 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-04-25 11:28:24 +0200 |
| commit | fb67228005202805b65d219ff4a95e55e40f345c (patch) | |
| tree | f210cddd66aa7199632f48718a33616ac05d4cfa /include/uapi/linux | |
| parent | 41e819696f1e75466edf309d03bfe6b99bf03ef3 (diff) | |
BACKPORT: selinux: restrict kernel module loading
Backport notes:
Backport uses kernel_module_from_file not kernel_read_file hook.
kernel_read_file replaced kernel_module_from_file in the 4.6 kernel.
There are no inode_security_() helper functions (also introduced in
4.6) so the inode lookup is done using the file_inode() helper which
is standard for kernel version < 4.6.
(Cherry picked from commit 61d612ea731e57dc510472fb746b55cdc017f371)
Utilize existing kernel_read_file hook on kernel module load.
Add module_load permission to the system class.
Enforces restrictions on kernel module origin when calling the
finit_module syscall. The hook checks that source type has
permission module_load for the target type.
Example for finit_module:
allow foo bar_file:system module_load;
Similarly restrictions are enforced on kernel module loading when
calling the init_module syscall. The hook checks that source
type has permission module_load with itself as the target object
because the kernel module is sourced from the calling process.
Example for init_module:
allow foo foo:system module_load;
Bug: 27824855
Change-Id: I64bf3bd1ab2dc735321160642dc6bbfa996f8068
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'include/uapi/linux')
0 files changed, 0 insertions, 0 deletions