Re: [PATCH 2/3] security: introducing security_request_module
From: Serge E. Hallyn
Date:  Thu Aug 13 2009 - 10:12:24 EST
Quoting Eric Paris (eparis@xxxxxxxxxx):
> Calling request_module() will trigger a userspace upcall which will load a
> new module into the kernel.  This can be a dangerous event if the process
> able to trigger request_module() is able to control either the modprobe
> binary or the module binary.  This patch adds a new security hook to
> request_module() which can be used by an LSM to control a processes ability
> to call request_module().
Is there a specific case in which you'd want to deny this ability
from a real task?
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/