security: introducing security_request_module Calling request_module() will trigger a userspace upcall which will load a new module into the kernel. This can be a dangerous event if the process able to trigger request_module() is able to control either the modprobe binary or the module binary. This patch adds a new security hook to request_module() which can be used by an LSM to control a processes ability to call request_module(). Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>

commit: 9188499cdb117d86a1ea6b04374095b098d56936 [log] [tgz]
author: Eric Paris <eparis@redhat.com> Thu Aug 13 09:44:57 2009 -0400
committer: James Morris <jmorris@namei.org> Fri Aug 14 11:18:37 2009 +1000
tree: 7c0dd23f2c98630c426cbd0bfbf5e46cc689091e
parent: a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c [diff] [blame]
diff --git a/security/security.c b/security/security.c
index 4501c5e..0e993f4 100644
--- a/security/security.c
+++ b/security/security.c

@@ -709,6 +709,11 @@
 	return security_ops->kernel_create_files_as(new, inode);
 }
 
+int security_kernel_module_request(void)
+{
+	return security_ops->kernel_module_request();
+}
+
 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 {
 	return security_ops->task_setuid(id0, id1, id2, flags);
commit	9188499cdb117d86a1ea6b04374095b098d56936	[log] [tgz]
author	Eric Paris <eparis@redhat.com>	Thu Aug 13 09:44:57 2009 -0400
committer	James Morris <jmorris@namei.org>	Fri Aug 14 11:18:37 2009 +1000
tree	7c0dd23f2c98630c426cbd0bfbf5e46cc689091e
parent	a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c [diff] [blame]