LSM hook for module loading and unloading

Casey Schaufler casey at schaufler-ca.com
Mon Dec 3 16:13:28 UTC 2018


On 12/1/2018 7:49 AM, Tamir Carmeli wrote:
> Hi,
> I believe that this is the right place to ask the question, but if it
> isn't please let me know of a better forum to ask.

This is the right list.

> Is there a reason why LSM hooks for kernel module deletion and loading
> don't exist? (for delete_module syscall and load_module kernel
> function)

security_kernel_load_data() is the hook for loading.

> Is there some design problem I'm not aware of, or whether the
> necessity hasn't come up from any of the mainline LSMs?

No one has seen the need for a hook during unload.

> I'm considering to write such patch, and I'd like to hear reasons for
> why it might be a bad idea.

To what end? Look at the Loadpin security module in security/loadpin
for one approach to protecting module loading.

> Thanks.



More information about the Linux-security-module-archive mailing list