diff options
| author | Eric Paris <eparis@redhat.com> | 2009-08-13 09:44:57 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-08-13 21:18:37 -0400 |
| commit | 9188499cdb117d86a1ea6b04374095b098d56936 (patch) | |
| tree | 7c0dd23f2c98630c426cbd0bfbf5e46cc689091e | |
| parent | a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c (diff) | |
security: introducing security_request_module
Calling request_module() will trigger a userspace upcall which will load a
new module into the kernel. This can be a dangerous event if the process
able to trigger request_module() is able to control either the modprobe
binary or the module binary. This patch adds a new security hook to
request_module() which can be used by an LSM to control a processes ability
to call request_module().
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
| -rw-r--r-- | include/linux/security.h | 10 | ||||
| -rw-r--r-- | kernel/kmod.c | 4 | ||||
| -rw-r--r-- | security/capability.c | 6 | ||||
| -rw-r--r-- | security/security.c | 5 |
4 files changed, 25 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 57ead99d2593..1e3dd86eea99 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -678,6 +678,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 678 | * @inode points to the inode to use as a reference. | 678 | * @inode points to the inode to use as a reference. |
| 679 | * The current task must be the one that nominated @inode. | 679 | * The current task must be the one that nominated @inode. |
| 680 | * Return 0 if successful. | 680 | * Return 0 if successful. |
| 681 | * @kernel_module_request: | ||
| 682 | * Ability to trigger the kernel to automatically upcall to userspace for | ||
| 683 | * userspace to load a kernel module with the given name. | ||
| 681 | * @task_setuid: | 684 | * @task_setuid: |
| 682 | * Check permission before setting one or more of the user identity | 685 | * Check permission before setting one or more of the user identity |
| 683 | * attributes of the current process. The @flags parameter indicates | 686 | * attributes of the current process. The @flags parameter indicates |
| @@ -1489,6 +1492,7 @@ struct security_operations { | |||
| 1489 | void (*cred_commit)(struct cred *new, const struct cred *old); | 1492 | void (*cred_commit)(struct cred *new, const struct cred *old); |
| 1490 | int (*kernel_act_as)(struct cred *new, u32 secid); | 1493 | int (*kernel_act_as)(struct cred *new, u32 secid); |
| 1491 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); | 1494 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); |
| 1495 | int (*kernel_module_request)(void); | ||
| 1492 | int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); | 1496 | int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); |
| 1493 | int (*task_fix_setuid) (struct cred *new, const struct cred *old, | 1497 | int (*task_fix_setuid) (struct cred *new, const struct cred *old, |
| 1494 | int flags); | 1498 | int flags); |
| @@ -1741,6 +1745,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); | |||
| 1741 | void security_commit_creds(struct cred *new, const struct cred *old); | 1745 | void security_commit_creds(struct cred *new, const struct cred *old); |
| 1742 | int security_kernel_act_as(struct cred *new, u32 secid); | 1746 | int security_kernel_act_as(struct cred *new, u32 secid); |
| 1743 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); | 1747 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); |
| 1748 | int security_kernel_module_request(void); | ||
| 1744 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); | 1749 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); |
| 1745 | int security_task_fix_setuid(struct cred *new, const struct cred *old, | 1750 | int security_task_fix_setuid(struct cred *new, const struct cred *old, |
| 1746 | int flags); | 1751 | int flags); |
| @@ -2292,6 +2297,11 @@ static inline int security_kernel_create_files_as(struct cred *cred, | |||
| 2292 | return 0; | 2297 | return 0; |
| 2293 | } | 2298 | } |
| 2294 | 2299 | ||
| 2300 | static inline int security_kernel_module_request(void) | ||
| 2301 | { | ||
| 2302 | return 0; | ||
| 2303 | } | ||
| 2304 | |||
| 2295 | static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, | 2305 | static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, |
| 2296 | int flags) | 2306 | int flags) |
| 2297 | { | 2307 | { |
diff --git a/kernel/kmod.c b/kernel/kmod.c index 385c31a1bdbf..5a7ae57f983f 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c | |||
| @@ -78,6 +78,10 @@ int __request_module(bool wait, const char *fmt, ...) | |||
| 78 | #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */ | 78 | #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */ |
| 79 | static int kmod_loop_msg; | 79 | static int kmod_loop_msg; |
| 80 | 80 | ||
| 81 | ret = security_kernel_module_request(); | ||
| 82 | if (ret) | ||
| 83 | return ret; | ||
| 84 | |||
| 81 | va_start(args, fmt); | 85 | va_start(args, fmt); |
| 82 | ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); | 86 | ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); |
| 83 | va_end(args); | 87 | va_end(args); |
diff --git a/security/capability.c b/security/capability.c index ec0573054024..1b943f54b2ea 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -396,6 +396,11 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode) | |||
| 396 | return 0; | 396 | return 0; |
| 397 | } | 397 | } |
| 398 | 398 | ||
| 399 | static int cap_kernel_module_request(void) | ||
| 400 | { | ||
| 401 | return 0; | ||
| 402 | } | ||
| 403 | |||
| 399 | static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | 404 | static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) |
| 400 | { | 405 | { |
| 401 | return 0; | 406 | return 0; |
| @@ -945,6 +950,7 @@ void security_fixup_ops(struct security_operations *ops) | |||
| 945 | set_to_cap_if_null(ops, cred_commit); | 950 | set_to_cap_if_null(ops, cred_commit); |
| 946 | set_to_cap_if_null(ops, kernel_act_as); | 951 | set_to_cap_if_null(ops, kernel_act_as); |
| 947 | set_to_cap_if_null(ops, kernel_create_files_as); | 952 | set_to_cap_if_null(ops, kernel_create_files_as); |
| 953 | set_to_cap_if_null(ops, kernel_module_request); | ||
| 948 | set_to_cap_if_null(ops, task_setuid); | 954 | set_to_cap_if_null(ops, task_setuid); |
| 949 | set_to_cap_if_null(ops, task_fix_setuid); | 955 | set_to_cap_if_null(ops, task_fix_setuid); |
| 950 | set_to_cap_if_null(ops, task_setgid); | 956 | set_to_cap_if_null(ops, task_setgid); |
diff --git a/security/security.c b/security/security.c index 4501c5e1f988..0e993f42ce3d 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -709,6 +709,11 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode) | |||
| 709 | return security_ops->kernel_create_files_as(new, inode); | 709 | return security_ops->kernel_create_files_as(new, inode); |
| 710 | } | 710 | } |
| 711 | 711 | ||
| 712 | int security_kernel_module_request(void) | ||
| 713 | { | ||
| 714 | return security_ops->kernel_module_request(); | ||
| 715 | } | ||
| 716 | |||
| 712 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | 717 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) |
| 713 | { | 718 | { |
| 714 | return security_ops->task_setuid(id0, id1, id2, flags); | 719 | return security_ops->task_setuid(id0, id1, id2, flags); |