diff options
| author | Jeff Vander Stoep <jeffv@google.com> | 2016-04-05 13:06:27 -0700 |
|---|---|---|
| committer | Jeff Vander Stoep <jeffv@google.com> | 2016-04-07 12:21:59 -0700 |
| commit | 00526cde6b4a4154e4ea528f8a0cea1017abbc1c (patch) | |
| tree | e488b47d8b4a55439a1bf0badf7ced140a5c4e74 /scripts/objdiff | |
| parent | a354cef9805bef94bb6fb6bd7887447846fee737 (diff) | |
BACKPORT: selinux: restrict kernel module loading
Backport notes:
Backport uses kernel_module_from_file not kernel_read_file hook.
kernel_read_file replaced kernel_module_from_file in the 4.6 kernel.
There are no inode_security_() helper functions (also introduced in
4.6) so the inode lookup is done using the file_inode() helper which
is standard for kernel version < 4.6.
(Cherry picked from commit 61d612ea731e57dc510472fb746b55cdc017f371)
Utilize existing kernel_read_file hook on kernel module load.
Add module_load permission to the system class.
Enforces restrictions on kernel module origin when calling the
finit_module syscall. The hook checks that source type has
permission module_load for the target type.
Example for finit_module:
allow foo bar_file:system module_load;
Similarly restrictions are enforced on kernel module loading when
calling the init_module syscall. The hook checks that source
type has permission module_load with itself as the target object
because the kernel module is sourced from the calling process.
Example for init_module:
allow foo foo:system module_load;
Bug: 27824855
Change-Id: I64bf3bd1ab2dc735321160642dc6bbfa996f8068
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'scripts/objdiff')
0 files changed, 0 insertions, 0 deletions