security: introduce kernel_module_from_file hook

Now that kernel module origins can be reasoned about, provide a hook to
the LSMs to make policy decisions about the module file. This will let
Chrome OS enforce that loadable kernel modules can only come from its
read-only hash-verified root filesystem. Other LSMs can, for example,
read extended attributes for signatures, etc.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

1 files changed, 11 insertions, 0 deletions

diff --git a/kernel/module.c b/kernel/module.c
index 1395ca382fb5..a1d2ed8bab93 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -29,6 +29,7 @@
 #include <linux/vmalloc.h>
 #include <linux/elf.h>
 #include <linux/proc_fs.h>
+#include <linux/security.h>
 #include <linux/seq_file.h>
 #include <linux/syscalls.h>
 #include <linux/fcntl.h>
@@ -2485,10 +2486,16 @@ static int elf_header_check(struct load_info *info)
 static int copy_module_from_user(const void __user *umod, unsigned long len,
                                   struct load_info *info)
 {
+        int err;
+
         info->len = len;
         if (info->len < sizeof(*(info->hdr)))
                 return -ENOEXEC;
 
+        err = security_kernel_module_from_file(NULL);
+        if (err)
+                return err;
+
         /* Suck in entire file: we'll want most of it. */
         info->hdr = vmalloc(info->len);
         if (!info->hdr)
@@ -2515,6 +2522,10 @@ static int copy_module_from_fd(int fd, struct load_info *info)
         if (!file)
                 return -ENOEXEC;
 
+        err = security_kernel_module_from_file(file);
+        if (err)
+                goto out;
+
         err = vfs_getattr(file->f_vfsmnt, file->f_dentry, &stat);
         if (err)
                 goto out;