On Fri, Nov 22, 2019 at 5:47 PM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > Test kernel module loading permissions. > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > V2 Change: > Check permission denial module_load versus module_request by using a > test kernel module for each. > Note: Rawhide (with secnext kernel) adds built-in.a and built-in.a.cmd when > building modules, therefore added to Makefile and .gitignore. > V3 Changes: > As requested in [1] except policy change, coalesced type attributes instead. > V4 Change: > Combine the original initmoddoman and finitmoddomain type > attribute for both sets of types > V5 Change: > Do not run on kernels < 4.7 as module loading not supported. > > [1] https://lore.kernel.org/selinux/CAFqZXNtm_X+YssnX_3_5ThkVZY+9SBeQC5Qo78s+geSsBok8=Q@xxxxxxxxxxxxxx/ > > policy/Makefile | 4 + > policy/test_module_load.te | 72 +++++++++++++ > tests/Makefile | 6 ++ > tests/module_load/.gitignore | 11 ++ > tests/module_load/Makefile | 12 +++ > tests/module_load/finit_load.c | 94 +++++++++++++++++ > tests/module_load/init_load.c | 123 ++++++++++++++++++++++ > tests/module_load/setest_module_load.c | 18 ++++ > tests/module_load/setest_module_request.c | 22 ++++ > tests/module_load/test | 62 +++++++++++ > 10 files changed, 424 insertions(+) > create mode 100644 policy/test_module_load.te > create mode 100644 tests/module_load/.gitignore > create mode 100644 tests/module_load/Makefile > create mode 100644 tests/module_load/finit_load.c > create mode 100644 tests/module_load/init_load.c > create mode 100644 tests/module_load/setest_module_load.c > create mode 100644 tests/module_load/setest_module_request.c > create mode 100755 tests/module_load/test Now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/a68d583c2a70e5d434f4f24d1fcf73b3e22d289e -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
