diff options
| author | "Kipp N. Davis" <kippndavis.work@gmx.com> | 2025-02-11 13:21:59 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2025-02-26 15:14:43 -0500 |
| commit | 2c2b1e059792f610bae4fee8ed517b8ce9c585fb (patch) | |
| tree | c695fa52327953b3f9140a8f7004dbccba147091 /security/selinux/include/classmap.h | |
| parent | 5fc80fb5b776fa22b01472baecec4d26d1af811b (diff) | |
| download | lwn-2c2b1e059792f610bae4fee8ed517b8ce9c585fb.tar.gz lwn-2c2b1e059792f610bae4fee8ed517b8ce9c585fb.zip | |
selinux: add permission checks for loading other kinds of kernel files
Although the LSM hooks for loading kernel modules were later generalized
to cover loading other kinds of files, SELinux didn't implement
corresponding permission checks, leaving only the module case covered.
Define and add new permission checks for these other cases.
Signed-off-by: Cameron K. Williams <ckwilliams.work@gmail.com>
Signed-off-by: Kipp N. Davis <kippndavis.work@gmx.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: merge fuzz, line length, and spacing fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/include/classmap.h')
| -rw-r--r-- | security/selinux/include/classmap.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 03e82477dce9..cfac41d12f7d 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -63,7 +63,9 @@ const struct security_class_mapping secclass_map[] = { { "process2", { "nnp_transition", "nosuid_transition", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", - "module_request", "module_load", NULL } }, + "module_request", "module_load", "firmware_load", + "kexec_image_load", "kexec_initramfs_load", "policy_load", + "x509_certificate_load", NULL } }, { "capability", { COMMON_CAP_PERMS, NULL } }, { "filesystem", { "mount", "remount", "unmount", "getattr", "relabelfrom", |