On 2/7/2025 4:08 PM, Paul Moore wrote:
On Feb 5, 2025 kippndavis.work@xxxxxxx wrote:
Although the LSM hooks for loading kernel modules were later generalized
to cover loading other kinds of files, SELinux didn't implement
corresponding permission checks, leaving only the module case covered.
Define and add new permission checks for these other cases.
Signed-off-by: Cameron K. Williams <ckwilliams.work@xxxxxxxxx>
Signed-off-by: Kipp N. Davis <kippndavis.work@xxxxxxx>
---
security/selinux/hooks.c | 54 ++++++++++++++++++++++++-----
security/selinux/include/classmap.h | 4 ++-
2 files changed, 49 insertions(+), 9 deletions(-)
Thanks for putting this patch together, and double thank you for the
tests too! If you've got the time, it would be great if you could
submit a patch/PR to update notebook too:
* https://github.com/SELinuxProject/selinux-notebook
I went ahead and put together a notebook PR here:
https://github.com/SELinuxProject/selinux-notebook/pull/45
Kipp, if you are able to take a look and make sure I have the details
right, that would be appreciated.
I'll keep the notebook PR updated if the permissions change and merge it
after the code is in -next.
-Daniel
