lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

security: introduce kernel_module_from_file hook

Browse Source 
Now that kernel module origins can be reasoned about, provide a hook to
the LSMs to make policy decisions about the module file. This will let
Chrome OS enforce that loadable kernel modules can only come from its
read-only hash-verified root filesystem. Other LSMs can, for example,
read extended attributes for signatures, etc.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This commit is contained in:
Kees Cook
2012-10-16 07:32:07 +10:30
committed by Rusty Russell
parent 2f3238aebe
commit 2e72d51b4a
4 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
security/security.c
View File

@@ -820,6 +820,11 @@ int security_kernel_module_request(char *kmod_name)
return security_ops->kernel_module_request(kmod_name);
}
int security_kernel_module_from_file(struct file *file)
{
return security_ops->kernel_module_from_file(file);
}
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{