forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/security/selinux
History
Jeff Vander Stoep c2e10e5cb2 BACKPORT: selinux: restrict kernel module loading 
Backport notes:
Backport uses kernel_module_from_file not kernel_read_file hook.
kernel_read_file replaced kernel_module_from_file in the 4.6 kernel.
There are no inode_security_() helper functions (also introduced in
4.6) so the inode lookup is done using the file_inode() helper which
is standard for kernel version < 4.6.

(Cherry picked from commit 61d612ea73)

Utilize existing kernel_read_file hook on kernel module load.
Add module_load permission to the system class.

Enforces restrictions on kernel module origin when calling the
finit_module syscall. The hook checks that source type has
permission module_load for the target type.
Example for finit_module:

allow foo bar_file:system module_load;

Similarly restrictions are enforced on kernel module loading when
calling the init_module syscall. The hook checks that source
type has permission module_load with itself as the target object
because the kernel module is sourced from the calling process.
Example for init_module:

allow foo foo:system module_load;

Bug: 27824855
Change-Id: I64bf3bd1ab2dc735321160642dc6bbfa996f8068
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2016-05-19 12:32:41 +05:30
..
include BACKPORT: selinux: restrict kernel module loading 2016-05-19 12:32:41 +05:30
ss selinux: Android kernel compatibility with M userspace 2016-02-16 13:53:56 -08:00
.gitignore
avc.c Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next 2015-08-15 13:29:57 +10:00
exports.c selinux: sparse fix: include selinux.h in exports.c 2011-09-09 16:56:32 -07:00
hooks.c BACKPORT: selinux: restrict kernel module loading 2016-05-19 12:32:41 +05:30
Kconfig selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default 2015-10-21 17:44:25 -04:00
Makefile selinux: change to new flag variable 2010-10-21 10:12:40 +11:00
netif.c Merge commit 'v3.17' into next 2014-11-19 21:32:12 +11:00
netlabel.c net: add skb_to_full_sk() helper and use it in selinux_netlbl_skbuff_setsid() 2015-11-08 20:56:38 -05:00
netlink.c selinux: replace obsolete NLMSG_* with type safe nlmsg_* 2013-03-28 14:25:49 -04:00
netnode.c selinux: remove unused variabled in the netport, netnode, and netif caches 2014-08-07 20:55:30 -04:00
netport.c selinux: remove unused variabled in the netport, netnode, and netif caches 2014-08-07 20:55:30 -04:00
nlmsgtab.c selinux/nlmsg: add a build time check for rtnl/xfrm cmds 2015-04-13 13:09:44 -04:00
selinuxfs.c selinux: introduce security_context_str_to_sid 2015-10-21 17:44:25 -04:00
xfrm.c netfilter: Remove spurios included of netfilter.h 2015-06-18 21:14:32 +02:00