On 06/28/2016 07:02 AM, Dominick Grift wrote: > On 06/22/2016 09:02 PM, Jeffrey Vander Stoep wrote: >> selinux@xxxxxxxxxxxxx to bcc >> >> Hi Ravi, >> >> The intent is not to restrict which processes may load modules, >> but to place restrictions on the origin of the module itself. >> Modules, like the kernel, should live on a verity protected >> partition. >> >> If you want system apps to load a kernel module from the system >> partition you just need to add an allow rule. e.g. >> >> # system_app loads /system/lib/module/wlan.ko allow system_app >> system_file:system module_load; >> >> Similar rules may be added for platform_app or system_server. >> > > In Fedora rawhide i see these where the target is "self". example: > > allow kmod self:system module_load; > > is that intended? That's the fallback when using init_module() rather than finit_module() to load modules, since the kernel does not see the file when using init_module(). With init_module(), userspace loads the module from the file into memory and passes a (pointer, len) pair to the kernel; with finit_module(), userspace opens the module file and passes the open file descriptor to the kernel. Ideally, one would convert all users of init_module() to finit_module(), then remove any self:system module_load permissions and only allow it for specific file types. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
