SELinux: add selinux_kernel_module_request

This patch adds a new selinux hook so SELinux can arbitrate if a given
process should be allowed to trigger a request for the kernel to try to
load a module.  This is a different operation than a process trying to load
a module itself, which is already protected by CAP_SYS_MODULE.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5dee88362e71..5aa45b168122 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3296,6 +3296,11 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
         return 0;
 }
 
+static int selinux_kernel_module_request(void)
+{
+        return task_has_system(current, SYSTEM__MODULE_REQUEST);
+}
+
 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
 {
         return current_has_perm(p, PROCESS__SETPGID);
@@ -5404,6 +5409,7 @@ static struct security_operations selinux_ops = {
         .cred_prepare =                 selinux_cred_prepare,
         .kernel_act_as =                selinux_kernel_act_as,
         .kernel_create_files_as =       selinux_kernel_create_files_as,
+        .kernel_module_request =        selinux_kernel_module_request,
         .task_setpgid =                 selinux_task_setpgid,
         .task_getpgid =                 selinux_task_getpgid,
         .task_getsid =                  selinux_task_getsid,