Re: [PATCH 2/3] security: introducing security_request_module

From: Serge E. Hallyn
Date: Thu Aug 13 2009 - 10:12:24 EST

Next message: H. Peter Anvin: "Re: [PATCH 4/6] Add support for LZO-compressed kernels for ARM"
Previous message: Serge E. Hallyn: "Re: [PATCH 1/3] Networking: use CAP_NET_ADMIN when deciding tocall request_module"
In reply to: Eric Paris: "[PATCH 2/3] security: introducing security_request_module"
Next in thread: Eric Paris: "Re: [PATCH 2/3] security: introducing security_request_module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Eric Paris (eparis@xxxxxxxxxx):
> Calling request_module() will trigger a userspace upcall which will load a
> new module into the kernel. This can be a dangerous event if the process
> able to trigger request_module() is able to control either the modprobe
> binary or the module binary. This patch adds a new security hook to
> request_module() which can be used by an LSM to control a processes ability
> to call request_module().

Is there a specific case in which you'd want to deny this ability
from a real task?

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: H. Peter Anvin: "Re: [PATCH 4/6] Add support for LZO-compressed kernels for ARM"
Previous message: Serge E. Hallyn: "Re: [PATCH 1/3] Networking: use CAP_NET_ADMIN when deciding tocall request_module"
In reply to: Eric Paris: "[PATCH 2/3] security: introducing security_request_module"
Next in thread: Eric Paris: "Re: [PATCH 2/3] security: introducing security_request_module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]