security: introducing security_request_module

Calling request_module() will trigger a userspace upcall which will load a
new module into the kernel.  This can be a dangerous event if the process
able to trigger request_module() is able to control either the modprobe
binary or the module binary.  This patch adds a new security hook to
request_module() which can be used by an LSM to control a processes ability
to call request_module().

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Eric Paris 2009-08-13 09:44:57 -04:00 committed by James Morris
parent a8f80e8ff9
commit 9188499cdb
4 changed files with 25 additions and 0 deletions

View file

@ -678,6 +678,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @inode points to the inode to use as a reference. * @inode points to the inode to use as a reference.
* The current task must be the one that nominated @inode. * The current task must be the one that nominated @inode.
* Return 0 if successful. * Return 0 if successful.
* @kernel_module_request:
* Ability to trigger the kernel to automatically upcall to userspace for
* userspace to load a kernel module with the given name.
* @task_setuid: * @task_setuid:
* Check permission before setting one or more of the user identity * Check permission before setting one or more of the user identity
* attributes of the current process. The @flags parameter indicates * attributes of the current process. The @flags parameter indicates
@ -1489,6 +1492,7 @@ struct security_operations {
void (*cred_commit)(struct cred *new, const struct cred *old); void (*cred_commit)(struct cred *new, const struct cred *old);
int (*kernel_act_as)(struct cred *new, u32 secid); int (*kernel_act_as)(struct cred *new, u32 secid);
int (*kernel_create_files_as)(struct cred *new, struct inode *inode); int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
int (*kernel_module_request)(void);
int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
int (*task_fix_setuid) (struct cred *new, const struct cred *old, int (*task_fix_setuid) (struct cred *new, const struct cred *old,
int flags); int flags);
@ -1741,6 +1745,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
void security_commit_creds(struct cred *new, const struct cred *old); void security_commit_creds(struct cred *new, const struct cred *old);
int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_act_as(struct cred *new, u32 secid);
int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_module_request(void);
int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
int security_task_fix_setuid(struct cred *new, const struct cred *old, int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags); int flags);
@ -2292,6 +2297,11 @@ static inline int security_kernel_create_files_as(struct cred *cred,
return 0; return 0;
} }
static inline int security_kernel_module_request(void)
{
return 0;
}
static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2,
int flags) int flags)
{ {

View file

@ -78,6 +78,10 @@ int __request_module(bool wait, const char *fmt, ...)
#define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */ #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
static int kmod_loop_msg; static int kmod_loop_msg;
ret = security_kernel_module_request();
if (ret)
return ret;
va_start(args, fmt); va_start(args, fmt);
ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
va_end(args); va_end(args);

View file

@ -396,6 +396,11 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
return 0; return 0;
} }
static int cap_kernel_module_request(void)
{
return 0;
}
static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{ {
return 0; return 0;
@ -945,6 +950,7 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, cred_commit); set_to_cap_if_null(ops, cred_commit);
set_to_cap_if_null(ops, kernel_act_as); set_to_cap_if_null(ops, kernel_act_as);
set_to_cap_if_null(ops, kernel_create_files_as); set_to_cap_if_null(ops, kernel_create_files_as);
set_to_cap_if_null(ops, kernel_module_request);
set_to_cap_if_null(ops, task_setuid); set_to_cap_if_null(ops, task_setuid);
set_to_cap_if_null(ops, task_fix_setuid); set_to_cap_if_null(ops, task_fix_setuid);
set_to_cap_if_null(ops, task_setgid); set_to_cap_if_null(ops, task_setgid);

View file

@ -709,6 +709,11 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
return security_ops->kernel_create_files_as(new, inode); return security_ops->kernel_create_files_as(new, inode);
} }
int security_kernel_module_request(void)
{
return security_ops->kernel_module_request();
}
int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{ {
return security_ops->task_setuid(id0, id1, id2, flags); return security_ops->task_setuid(id0, id1, id2, flags);