diff options
| author | Jeff Vander Stoep <jeffv@google.com> | 2016-04-05 13:06:27 -0700 |
|---|---|---|
| committer | Amit Pundir <amit.pundir@linaro.org> | 2016-05-19 12:32:41 +0530 |
| commit | c2e10e5cb24622a42dba65c52e1a4793c9287966 (patch) | |
| tree | 674b3505680d24ae1bbb812200b63e53cfa57899 /scripts/stackusage | |
| parent | b8a5593858bb3d7100b3d94483299bff54e6efbe (diff) | |
BACKPORT: selinux: restrict kernel module loading
Backport notes:
Backport uses kernel_module_from_file not kernel_read_file hook.
kernel_read_file replaced kernel_module_from_file in the 4.6 kernel.
There are no inode_security_() helper functions (also introduced in
4.6) so the inode lookup is done using the file_inode() helper which
is standard for kernel version < 4.6.
(Cherry picked from commit 61d612ea731e57dc510472fb746b55cdc017f371)
Utilize existing kernel_read_file hook on kernel module load.
Add module_load permission to the system class.
Enforces restrictions on kernel module origin when calling the
finit_module syscall. The hook checks that source type has
permission module_load for the target type.
Example for finit_module:
allow foo bar_file:system module_load;
Similarly restrictions are enforced on kernel module loading when
calling the init_module syscall. The hook checks that source
type has permission module_load with itself as the target object
because the kernel module is sourced from the calling process.
Example for init_module:
allow foo foo:system module_load;
Bug: 27824855
Change-Id: I64bf3bd1ab2dc735321160642dc6bbfa996f8068
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'scripts/stackusage')
0 files changed, 0 insertions, 0 deletions