When kernel modules are blacklisted, list them explicitly in the loadpol
policy.
Signed-off-by: Simon THOBY <g...@nightmared.fr>
---
security/loadpol/loadpol.c | 35 ++++++++++++++++++++++++++++++-----
1 file changed, 30 insertions(+), 5 deletions(-)
diff --git a/security/loadpol/loadpol.c b/security/loadpol/loadpol.c
index 4d1a495a1462..c3c1846a3398 100644
--- a/security/loadpol/loadpol.c
+++ b/security/loadpol/loadpol.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
#include "linux/array_size.h"
+#include <linux/module.h>
#include <linux/lsm_hooks.h>
#include <uapi/linux/lsm.h>
@@ -33,12 +34,36 @@ DEFINE_LSM(LOADPOL_NAME) = {
static int __init loadpol_init(void)
{
+ struct loadpol_policy_entry *entry;
+ char *module_name;
+
+ const char *module_blacklist = get_blacklisted_modules();
+
+ if (module_blacklist) {
+ size_t len;
+
+ for (const char *p = module_blacklist; *p; p += len) {
+ len = strcspn(p, ",");
+
+ module_name = kstrndup(p, len, GFP_KERNEL);
+ entry = kzalloc(sizeof(*entry), GFP_KERNEL);
+ if (!module_name || !entry)
+ return -ENOMEM;
+
+ entry->origin = (ORIGIN_USERSPACE | ORIGIN_KERNEL);
+ entry->action = ACTION_DENY;
+ entry->module_name = module_name;
+ list_add_tail(&entry->list, loadpol_policy);
+
+ if (p[len] == ',')
+ len++;
+ }
+ }
+
for (int i = 0; i < ARRAY_SIZE(default_policy_entries); i++) {
- struct loadpol_policy_entry *entry = kmemdup(
- &default_policy_entries[i],
- sizeof(struct loadpol_policy_entry),
- GFP_KERNEL
- );
+ entry = kmemdup(&default_policy_entries[i],
+ sizeof(struct loadpol_policy_entry),
+ GFP_KERNEL);
if (!entry)
return -ENOMEM;
--
2.49.0
