diff options
author | Eric Paris <eparis@redhat.com> | 2009-08-13 09:45:03 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-08-13 21:18:40 -0400 |
commit | 25354c4fee169710fd9da15f3bb2abaa24dcf933 (patch) | |
tree | 7fb462945c15ce09392ae858c8ae757290b5ed2d | |
parent | 9188499cdb117d86a1ea6b04374095b098d56936 (diff) |
SELinux: add selinux_kernel_module_request
This patch adds a new selinux hook so SELinux can arbitrate if a given
process should be allowed to trigger a request for the kernel to try to
load a module. This is a different operation than a process trying to load
a module itself, which is already protected by CAP_SYS_MODULE.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/hooks.c | 6 | ||||
-rw-r--r-- | security/selinux/include/av_perm_to_string.h | 1 | ||||
-rw-r--r-- | security/selinux/include/av_permissions.h | 1 |
3 files changed, 8 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5dee88362e71..5aa45b168122 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3296,6 +3296,11 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) | |||
3296 | return 0; | 3296 | return 0; |
3297 | } | 3297 | } |
3298 | 3298 | ||
3299 | static int selinux_kernel_module_request(void) | ||
3300 | { | ||
3301 | return task_has_system(current, SYSTEM__MODULE_REQUEST); | ||
3302 | } | ||
3303 | |||
3299 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) | 3304 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) |
3300 | { | 3305 | { |
3301 | return current_has_perm(p, PROCESS__SETPGID); | 3306 | return current_has_perm(p, PROCESS__SETPGID); |
@@ -5404,6 +5409,7 @@ static struct security_operations selinux_ops = { | |||
5404 | .cred_prepare = selinux_cred_prepare, | 5409 | .cred_prepare = selinux_cred_prepare, |
5405 | .kernel_act_as = selinux_kernel_act_as, | 5410 | .kernel_act_as = selinux_kernel_act_as, |
5406 | .kernel_create_files_as = selinux_kernel_create_files_as, | 5411 | .kernel_create_files_as = selinux_kernel_create_files_as, |
5412 | .kernel_module_request = selinux_kernel_module_request, | ||
5407 | .task_setpgid = selinux_task_setpgid, | 5413 | .task_setpgid = selinux_task_setpgid, |
5408 | .task_getpgid = selinux_task_getpgid, | 5414 | .task_getpgid = selinux_task_getpgid, |
5409 | .task_getsid = selinux_task_getsid, | 5415 | .task_getsid = selinux_task_getsid, |
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 31df1d7c1aee..2b683ad83d21 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
@@ -107,6 +107,7 @@ | |||
107 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read") | 107 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read") |
108 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod") | 108 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod") |
109 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console") | 109 | S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console") |
110 | S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request") | ||
110 | S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown") | 111 | S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown") |
111 | S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override") | 112 | S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override") |
112 | S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search") | 113 | S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index d645192ee950..21c722669902 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
@@ -508,6 +508,7 @@ | |||
508 | #define SYSTEM__SYSLOG_READ 0x00000002UL | 508 | #define SYSTEM__SYSLOG_READ 0x00000002UL |
509 | #define SYSTEM__SYSLOG_MOD 0x00000004UL | 509 | #define SYSTEM__SYSLOG_MOD 0x00000004UL |
510 | #define SYSTEM__SYSLOG_CONSOLE 0x00000008UL | 510 | #define SYSTEM__SYSLOG_CONSOLE 0x00000008UL |
511 | #define SYSTEM__MODULE_REQUEST 0x00000010UL | ||
511 | #define CAPABILITY__CHOWN 0x00000001UL | 512 | #define CAPABILITY__CHOWN 0x00000001UL |
512 | #define CAPABILITY__DAC_OVERRIDE 0x00000002UL | 513 | #define CAPABILITY__DAC_OVERRIDE 0x00000002UL |
513 | #define CAPABILITY__DAC_READ_SEARCH 0x00000004UL | 514 | #define CAPABILITY__DAC_READ_SEARCH 0x00000004UL |