On 06/28/2016 02:54 PM, Stephen Smalley wrote: > On 06/28/2016 07:02 AM, Dominick Grift wrote: >> On 06/22/2016 09:02 PM, Jeffrey Vander Stoep wrote: >>> selinux@xxxxxxxxxxxxx to bcc >>> >>> Hi Ravi, >>> >>> The intent is not to restrict which processes may load modules, >>> but to place restrictions on the origin of the module itself. >>> Modules, like the kernel, should live on a verity protected >>> partition. >>> >>> If you want system apps to load a kernel module from the system >>> partition you just need to add an allow rule. e.g. >>> >>> # system_app loads /system/lib/module/wlan.ko allow system_app >>> system_file:system module_load; >>> >>> Similar rules may be added for platform_app or system_server. >>> >> >> In Fedora rawhide i see these where the target is "self". example: >> >> allow kmod self:system module_load; >> >> is that intended? > > That's the fallback when using init_module() rather than > finit_module() to load modules, since the kernel does not see the file > when using init_module(). With init_module(), userspace loads the > module from the file into memory and passes a (pointer, len) pair to > the kernel; with finit_module(), userspace opens the module file and > passes the open file descriptor to the kernel. Ideally, one would > convert all users of init_module() to finit_module(), then remove any > self:system module_load permissions and only allow it for specific > file types. > Thanks one final question to make sure i understand this right: Without the capability sys_module access vector the module_load permission is "useless". You need both (capability/sys_module plus system/module_load) to load kernel modules with success? This is my initial support: https://github.com/DefenSec/dssp/commit/c877fb7c91d1f404761fed282d88d40012876201 I probably end up leaving this fall back support in. And then add finit_module() support as the need arises (i have not encountered finit_module() users yet). -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
