[GIT PULL] selinux/selinux-pr-20250323
Linus Torvalds
torvalds at linux-foundation.org
Thu Mar 27 01:20:41 UTC 2025
On Wed, 26 Mar 2025 at 18:06, Thiébaud Weksteen <tweek at google.com> wrote:
>
> Taking one example from this merge request: kexec image loading.
So this is the kind of "why" I was looking for.
> Currently, any process which has CAP_SYS_BOOT can use kexec to replace
> the existing kernel. Android has 5 processes with CAP_SYS_BOOT, only 1
> of which needs kexec functionality [1]. By using these new
> permissions, we will ensure that this process is able to call kexec,
> while prohibiting other processes. SELinux provides us strong, kernel
> enforced guarantees which can be checked at policy compile time.
> Extending on this, we will use this patchset to guarantee that kernels
> and ramdisks executed by kexec come from known, good sources.
>
> The other hooks are of similar value to Android.
Now explain to me how the firmware loading hook works, not some
hand-wavy "similar value" thing.
Because it seems entirely bogus. Exactly because the context of
firmware loading is *not* something you can depend on. There is no
"one special process" that has firmware loading capabilities.
I'm looking at selinux_kernel_load_data() in particular, where you
don't even pass it a file at all, so it's not like it could check for
"is this file integrity-protected" or anything like that. It seems to
literally say "can this process load firmware", and as I've explained,
the firmware loading is done by random processes.
Linus
More information about the Linux-security-module-archive
mailing list