From patchwork Thu Aug 13 13:45:03 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Paris X-Patchwork-Id: 31299 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id 96E75B6F34 for ; Thu, 13 Aug 2009 23:47:52 +1000 (EST) Received: by ozlabs.org (Postfix) id 8C552DDD1B; Thu, 13 Aug 2009 23:47:52 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 10030DDD0B for ; Thu, 13 Aug 2009 23:47:52 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754605AbZHMNqu (ORCPT ); Thu, 13 Aug 2009 09:46:50 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754580AbZHMNqu (ORCPT ); Thu, 13 Aug 2009 09:46:50 -0400 Received: from mx2.redhat.com ([66.187.237.31]:49746 "EHLO mx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752547AbZHMNqt (ORCPT ); Thu, 13 Aug 2009 09:46:49 -0400 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n7DDj4nX021211; Thu, 13 Aug 2009 09:45:04 -0400 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n7DDj3UU023135; Thu, 13 Aug 2009 09:45:03 -0400 Received: from paris.rdu.redhat.com (paris.rdu.redhat.com [10.11.231.241]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n7DDj3xc010751; Thu, 13 Aug 2009 09:45:03 -0400 From: Eric Paris Subject: [PATCH 3/3] SELinux: add selinux_kernel_module_request To: linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, netdev@vger.kernel.org, linux-security-module@vger.kernel.org Cc: sds@tycho.nsa.gov, davem@davemloft.net, shemminger@linux-foundation.org, kees@ubuntu.com, morgan@kernel.org, casey@schaufler-ca.com, dwalsh@redhat.com Date: Thu, 13 Aug 2009 09:45:03 -0400 Message-ID: <20090813134502.29186.7938.stgit@paris.rdu.redhat.com> In-Reply-To: <20090813134451.29186.41664.stgit@paris.rdu.redhat.com> References: <20090813134451.29186.41664.stgit@paris.rdu.redhat.com> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch adds a new selinux hook so SELinux can arbitrate if a given process should be allowed to trigger a request for the kernel to try to load a module. This is a different operation than a process trying to load a module itself, which is already protected by CAP_SYS_MODULE. Signed-off-by: Eric Paris Acked-by: Serge Hallyn --- security/selinux/hooks.c | 6 ++++++ security/selinux/include/av_perm_to_string.h | 1 + security/selinux/include/av_permissions.h | 1 + 3 files changed, 8 insertions(+), 0 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 38afca9..b0d72f1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3296,6 +3296,11 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) return 0; } +static int selinux_kernel_module_request(void) +{ + return task_has_system(current, SYSTEM__MODULE_REQUEST); +} + static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) { return current_has_perm(p, PROCESS__SETPGID); @@ -5457,6 +5462,7 @@ static struct security_operations selinux_ops = { .cred_prepare = selinux_cred_prepare, .kernel_act_as = selinux_kernel_act_as, .kernel_create_files_as = selinux_kernel_create_files_as, + .kernel_module_request = selinux_kernel_module_request, .task_setpgid = selinux_task_setpgid, .task_getpgid = selinux_task_getpgid, .task_getsid = selinux_task_getsid, diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 31df1d7..2b683ad 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -107,6 +107,7 @@ S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read") S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod") S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console") + S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request") S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown") S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override") S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search") diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 0b41ad5..0546d61 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -530,6 +530,7 @@ #define SYSTEM__SYSLOG_READ 0x00000002UL #define SYSTEM__SYSLOG_MOD 0x00000004UL #define SYSTEM__SYSLOG_CONSOLE 0x00000008UL +#define SYSTEM__MODULE_REQUEST 0x00000010UL #define CAPABILITY__CHOWN 0x00000001UL #define CAPABILITY__DAC_OVERRIDE 0x00000002UL #define CAPABILITY__DAC_READ_SEARCH 0x00000004UL