Re: should module_load be checked on a kernel module object?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Oct 10, 2016 at 10:21 AM Dominick Grift <dac.override@xxxxxxxxx> wrote:
On 10/10/2016 07:16 PM, Jeffrey Vander Stoep wrote:
> No problem. We went through a number of iterations on this patch
> because of how confusing the target object for init_module is.
>
> On Android we neverallow use of init_module. Forcing userspace to use
> finit_module allows us to enforce restrictions on kernel module
> origin. We only allow module loading from verified-boot protected
> partitions.
>
> https://android-review.googlesource.com/#/c/214021/
>

That is a nice approach. After you reminded me, i started looking at my
policy and i actually commented it (i rarely comment in my policy):

                ; for compatibility with Linux =< 4.6
                (allow sys.load_kernel_module_subj_type_attribute self
(system (module_load))))))

So i suppose if i want to support Linux 4.6 then i might not have the
option to neverallow it.


You shouldn't need this for compatibility. For kernel version <= 4.6, the kernel hook for selinux_kernel_read_file is unused so no policy is needed, it will already be allowed (or rather, not checked).

The issue is that modprobe uses init_module() to load a kernel module. That would need to be updated to use finit_module() in order to disallow init_module().

modprobe could be updated to behave more like insmod which defaults to using finit_module and falls back to init_module for old kernels. https://android.googlesource.com/platform/external/toybox/+/android-7.0.0_r14/toys/other/insmod.c#37

I don't know what kind of control you have over kernels, but if you want a stable backport of the module_load patch, we backported to 4.4, 4,1, 3.18, 3.14, and 3.10: https://android-review.googlesource.com/#/q/61d612ea731e57dc510472fb746b55cdc017f371+owner:jeffv
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux