summaryrefslogtreecommitdiff
path: root/include/linux/lsm_hooks.h
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2015-12-30 15:35:30 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2016-02-21 17:06:12 +0300
commita1db74209483a24c861c848b4bb79a4d945ef6fa (patch)
tree4edf4c1a22e4a8446166366e5cee358c99e8fda0 /include/linux/lsm_hooks.h
parentb844f0ecbc5626ec26cfc70cb144a4c9b85dc3f2 (diff)
downloadlinux-a1db74209483a24c861c848b4bb79a4d945ef6fa.tar.xz
module: replace copy_module_from_fd with kernel version
Replace copy_module_from_fd() with kernel_read_file_from_fd(). Although none of the upstreamed LSMs define a kernel_module_from_file hook, IMA is called, based on policy, to prevent unsigned kernel modules from being loaded by the original kernel module syscall and to measure/appraise signed kernel modules. The security function security_kernel_module_from_file() was called prior to reading a kernel module. Preventing unsigned kernel modules from being loaded by the original kernel module syscall remains on the pre-read kernel_read_file() security hook. Instead of reading the kernel module twice, once for measuring/appraising and again for loading the kernel module, the signature validation is moved to the kernel_post_read_file() security hook. This patch removes the security_kernel_module_from_file() hook and security call. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org> Cc: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'include/linux/lsm_hooks.h')
-rw-r--r--include/linux/lsm_hooks.h7
1 files changed, 0 insertions, 7 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index d32b7bd13635..cdee11cbcdf1 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -546,12 +546,6 @@
* userspace to load a kernel module with the given name.
* @kmod_name name of the module requested by the kernel
* Return 0 if successful.
- * @kernel_module_from_file:
- * Load a kernel module from userspace.
- * @file contains the file structure pointing to the file containing
- * the kernel module to load. If the module is being loaded from a blob,
- * this argument will be NULL.
- * Return 0 if permission is granted.
* @kernel_read_file:
* Read a file specified by userspace.
* @file contains the file structure pointing to the file being read
@@ -1725,7 +1719,6 @@ struct security_hook_heads {
struct list_head kernel_read_file;
struct list_head kernel_post_read_file;
struct list_head kernel_module_request;
- struct list_head kernel_module_from_file;
struct list_head task_fix_setuid;
struct list_head task_setpgid;
struct list_head task_getpgid;