Re: [PATCH] documentation for module and netdev hooks

From: Chris Wright (chrisat_private)
Date: Thu Oct 04 2001 - 18:47:33 PDT

  • Next message: Greg KH: "[RFC] 2.4.11-pre4 patch"

    sorry for long lag on this thread.
    
    * Stephen Smalley (sdsat_private) wrote:
    > 
    > This looks good.  I think that doing the continue is the right course
    > of action.  Also, I suppose that we could remove the name parameter
    > from the init_module hook, since it is redundant with the module
    > parameter.  
    
    below is patch that changes delete_module hook to use struct module
    and removes the redundant name field from init_module.
    
    > Adding a security field to the module structure might be interesting,
    > but I'm not sure what the basis for determining the tag would be.
    > When we looked at kernel modules for SELinux, we originally hoped
    > to perform a permission check based on the label of the file from
    > which the module was stored (to check its integrity), but the file
    > doesn't seem to be available to the kernel since the utility handles the
    > loading.  I suppose you might do some kind of tagging based on a hash
    > of the module.
    
    i'm not sure either.  it seems like the information should be available,
    since the userland program that does the create_module and init_module had
    to open a file to read in module and build module struct.  of course,
    if we leave it up to userland to report which file it opened...the
    program could always lie ;-(
    
    at any rate, if this looks ok, i'll commit tomorrow.
    
    -chris
    
    diff -Nru a/include/linux/security.h b/include/linux/security.h
    --- a/include/linux/security.h	Thu Oct  4 18:37:05 2001
    +++ b/include/linux/security.h	Thu Oct  4 18:37:05 2001
    @@ -1650,7 +1650,6 @@
     
     	/**
     	 * init_module - check permission when initializing a module
    -	 * @name: module name
     	 * @mod: the module
     	 *
     	 * called: sys_init_module <kernel/module.c>
    @@ -1660,20 +1659,21 @@
     	 * Check permission before initializing a kernel module.
     	 * Return 0 if permission is granted.
     	 */
    - 	int  (* init_module) (const char *name, struct module *mod);
    + 	int  (* init_module) (struct module *mod);
     
     	/**
     	 * delete_module - check permission when removing a module
    -	 * @name: module name
    +	 * @mod: module being deleted
     	 *
     	 * called: sys_delete_module <kernel/module.c>
     	 *
     	 * lock:  The big kernel lock is held.
    +	 * lock:  unload_lock is held.
     	 *
     	 * Check permission before removing a kernel module.
     	 * Return 0 if permission is granted.
     	 */
    - 	int  (* delete_module) (const char *name);
    + 	int  (* delete_module) (const struct module *mod);
     };
     
     /**
    diff -Nru a/kernel/module.c b/kernel/module.c
    --- a/kernel/module.c	Thu Oct  4 18:37:05 2001
    +++ b/kernel/module.c	Thu Oct  4 18:37:05 2001
    @@ -505,7 +505,7 @@
     	}
     
     	/* check that we have permission to do this */
    -	error = security_ops->module_ops->init_module(name, mod);
    +	error = security_ops->module_ops->init_module(mod);
     	if (error)
     		goto err3;
     	error = -EINVAL;
    @@ -619,13 +619,6 @@
     		if ((error = get_mod_name(name_user, &name)) < 0)
     			goto out;
     
    -		/* check that we have permission to do this */
    -		error = security_ops->module_ops->delete_module(name);
    -		if (error) {
    -			put_mod_name(name);
    -			goto out;
    -		}
    -
     		error = -ENOENT;
     		if ((mod = find_module(name)) == NULL) {
     			put_mod_name(name);
    @@ -638,6 +631,12 @@
     
     		spin_lock(&unload_lock);
     		if (!__MOD_IN_USE(mod)) {
    +			/* check that we have permission to do this */
    +			error = security_ops->module_ops->delete_module(mod);
    +			if (error) {
    +				spin_unlock(&unload_lock);
    +				goto out;
    +			}
     			mod->flags |= MOD_DELETED;
     			spin_unlock(&unload_lock);
     			free_module(mod, 0);
    @@ -666,6 +665,13 @@
     				spin_unlock(&unload_lock);
     				mod->flags &= ~MOD_VISITED;
     			} else {
    +				/* check that we have permission to do this
    +				 * an error is not propagated if perm fails
    +				 */
    +				if (security_ops->module_ops->delete_module(mod)) {
    +					spin_unlock(&unload_lock);
    +					continue;
    +				}
     				mod->flags |= MOD_DELETED;
     				spin_unlock(&unload_lock);
     				free_module(mod, 1);
    diff -Nru a/security/capability_plug.c b/security/capability_plug.c
    --- a/security/capability_plug.c	Thu Oct  4 18:37:05 2001
    +++ b/security/capability_plug.c	Thu Oct  4 18:37:05 2001
    @@ -914,13 +914,12 @@
     	return 0;
     }
     
    -static int cap_module_init_module (const char *name_user,
    -				   struct module *mod_user)
    +static int cap_module_init_module (struct module *mod_user)
     {
     	return 0;
     }
     
    -static int cap_module_delete_module (const char *name_user)
    +static int cap_module_delete_module (const struct module *mod)
     {
     	return 0;
     }
    diff -Nru a/security/dummy.c b/security/dummy.c
    --- a/security/dummy.c	Thu Oct  4 18:37:05 2001
    +++ b/security/dummy.c	Thu Oct  4 18:37:05 2001
    @@ -735,13 +735,12 @@
     	return 0;
     }
     
    -static int dummy_module_init_module (const char *name_user,
    -				     struct module *mod_user)
    +static int dummy_module_init_module (struct module *mod_user)
     {
     	return 0;
     }
     
    -static int dummy_module_delete_module (const char *name_user)
    +static int dummy_module_delete_module (const struct module *mod)
     {
     	return 0;
     }
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 18:50:51 PDT