On Feb 5, 2025 kippndavis.work@xxxxxxx wrote: > > Although the LSM hooks for loading kernel modules were later generalized > to cover loading other kinds of files, SELinux didn't implement > corresponding permission checks, leaving only the module case covered. > Define and add new permission checks for these other cases. > > Signed-off-by: Cameron K. Williams <ckwilliams.work@xxxxxxxxx> > Signed-off-by: Kipp N. Davis <kippndavis.work@xxxxxxx> > --- > security/selinux/hooks.c | 54 ++++++++++++++++++++++++----- > security/selinux/include/classmap.h | 4 ++- > 2 files changed, 49 insertions(+), 9 deletions(-) Thanks for putting this patch together, and double thank you for the tests too! If you've got the time, it would be great if you could submit a patch/PR to update notebook too: * https://github.com/SELinuxProject/selinux-notebook Some small comments below ... > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 7b867dfec88b..e96ade50c137 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4133,10 +4130,33 @@ static int selinux_kernel_read_file(struct file *file, > int rc = 0; > > switch (id) { > + case READING_FIRMWARE: > + rc = selinux_kernel_load_from_file(contents ? file : NULL, > + SYSTEM__FIRMWARE_LOAD); > + break; > case READING_MODULE: > - rc = selinux_kernel_module_from_file(contents ? file : NULL); > + rc = selinux_kernel_load_from_file(contents ? file : NULL, > + SYSTEM__MODULE_LOAD); > + break; > + case READING_KEXEC_IMAGE: > + rc = selinux_kernel_load_from_file(contents ? file : NULL, > + SYSTEM__KEXEC_IMAGE_LOAD); > + break; > + case READING_KEXEC_INITRAMFS: > + rc = selinux_kernel_load_from_file(contents ? file : NULL, > + SYSTEM__KEXEC_INITRAMFS_LOAD); > + break; > + case READING_POLICY: > + rc = selinux_kernel_load_from_file(contents ? file : NULL, > + SYSTEM__POLICY_LOAD); > + break; > + case READING_X509_CERTIFICATE: > + rc = selinux_kernel_load_from_file(contents ? file : NULL, > + SYSTEM__X509_CERTIFICATE_LOAD); > break; > default: > + pr_err("SELinux: kernel_read_file_id unknown"); > + rc = -EACCES; If we can't come up with a way to catch new READING_XXX entries at compile time, e.g. socket address families or capabilities (grep for "#error" in security/selinux/hooks.c), I'm not sure we want to return an error here, both because we haven't previously and it ignores the loaded policy's UNK_PERMS setting. This also applies to selinux_kernel_load_data(). > break; > } -- paul-moore.com
