SELinux: add selinux_kernel_module_request This patch adds a new selinux hook so SELinux can arbitrate if a given process should be allowed to trigger a request for the kernel to try to load a module. This is a different operation than a process trying to load a module itself, which is already protected by CAP_SYS_MODULE. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>

commit: 25354c4fee169710fd9da15f3bb2abaa24dcf933 [log] [tgz]
author: Eric Paris <eparis@redhat.com> Thu Aug 13 09:45:03 2009 -0400
committer: James Morris <jmorris@namei.org> Fri Aug 14 11:18:40 2009 +1000
tree: 7fb462945c15ce09392ae858c8ae757290b5ed2d
parent: 9188499cdb117d86a1ea6b04374095b098d56936 [diff] [blame]
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5dee883..5aa45b1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

@@ -3296,6 +3296,11 @@
 	return 0;
 }
 
+static int selinux_kernel_module_request(void)
+{
+	return task_has_system(current, SYSTEM__MODULE_REQUEST);
+}
+
 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
 {
 	return current_has_perm(p, PROCESS__SETPGID);
@@ -5404,6 +5409,7 @@
 	.cred_prepare =			selinux_cred_prepare,
 	.kernel_act_as =		selinux_kernel_act_as,
 	.kernel_create_files_as =	selinux_kernel_create_files_as,
+	.kernel_module_request =	selinux_kernel_module_request,
 	.task_setpgid =			selinux_task_setpgid,
 	.task_getpgid =			selinux_task_getpgid,
 	.task_getsid =			selinux_task_getsid,
commit	25354c4fee169710fd9da15f3bb2abaa24dcf933	[log] [tgz]
author	Eric Paris <eparis@redhat.com>	Thu Aug 13 09:45:03 2009 -0400
committer	James Morris <jmorris@namei.org>	Fri Aug 14 11:18:40 2009 +1000
tree	7fb462945c15ce09392ae858c8ae757290b5ed2d
parent	9188499cdb117d86a1ea6b04374095b098d56936 [diff] [blame]