summaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
authorJeff Vander Stoep <jeffv@google.com>2016-04-05 22:06:27 +0200
committerPaul Moore <paul@paul-moore.com>2016-04-05 22:11:56 +0200
commit61d612ea731e57dc510472fb746b55cdc017f371 (patch)
treeb44c2c0228284fffaa2f7a09de7bae85da0a3d72 /security/selinux/include
parentselinux: consolidate the ptrace parent lookup code (diff)
downloadlinux-61d612ea731e57dc510472fb746b55cdc017f371.tar.xz
linux-61d612ea731e57dc510472fb746b55cdc017f371.zip
selinux: restrict kernel module loading
Utilize existing kernel_read_file hook on kernel module load. Add module_load permission to the system class. Enforces restrictions on kernel module origin when calling the finit_module syscall. The hook checks that source type has permission module_load for the target type. Example for finit_module: allow foo bar_file:system module_load; Similarly restrictions are enforced on kernel module loading when calling the init_module syscall. The hook checks that source type has permission module_load with itself as the target object because the kernel module is sourced from the calling process. Example for init_module: allow foo foo:system module_load; Signed-off-by: Jeff Vander Stoep <jeffv@google.com> [PM: fixed return value of selinux_kernel_read_file()] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/classmap.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index ef83c4b85a33..8fbd1383d75e 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -32,7 +32,7 @@ struct security_class_mapping secclass_map[] = {
"setsockcreate", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
- "syslog_console", "module_request", NULL } },
+ "syslog_console", "module_request", "module_load", NULL } },
{ "capability",
{ "chown", "dac_override", "dac_read_search",
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",