On Tuesday, April 05, 2016 01:06:27 PM Jeff Vander Stoep wrote: > Utilize existing kernel_read_file hook on kernel module load. > Add module_load permission to the system class. > > Enforces restrictions on kernel module origin when calling the > finit_module syscall. The hook checks that source type has > permission module_load for the target type. > Example for finit_module: > > allow foo bar_file:system module_load; > > Similarly restrictions are enforced on kernel module loading when > calling the init_module syscall. The hook checks that source > type has permission module_load with itself as the target object > because the kernel module is sourced from the calling process. > Example for init_module: > > allow foo foo:system module_load; > > Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx> > --- > v2: The target type for init_module changed from SECINITSID_KERNEL > to the same type as the source. > v3: Use inode_security() to ensure inode's label is revalidated. Merged, thanks for your patience. I had to do one minor fixup to resolve a problem at compile time, see below. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3fa3ca5..231c897 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c ... > +static selinux_kernel_read_file(struct file *file, enum kernel_read_file_id > id) You're missing the return type :) No need to resend, I fixed it when merging your patch, see the selinux#next branch. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
