[RFC PATCH 8/9] Loadpol LSM: include the blacklisted kernel modules in the policy

Simon THOBY git at nightmared.fr
Wed May 21 14:01:12 UTC 2025


When kernel modules are blacklisted, list them explicitly in the loadpol
policy.

Signed-off-by: Simon THOBY <git at nightmared.fr>
---
 security/loadpol/loadpol.c | 35 ++++++++++++++++++++++++++++++-----
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/security/loadpol/loadpol.c b/security/loadpol/loadpol.c
index 4d1a495a1462..c3c1846a3398 100644
--- a/security/loadpol/loadpol.c
+++ b/security/loadpol/loadpol.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 
 #include "linux/array_size.h"
+#include <linux/module.h>
 #include <linux/lsm_hooks.h>
 #include <uapi/linux/lsm.h>
 
@@ -33,12 +34,36 @@ DEFINE_LSM(LOADPOL_NAME) = {
 
 static int __init loadpol_init(void)
 {
+	struct loadpol_policy_entry *entry;
+	char *module_name;
+
+	const char *module_blacklist = get_blacklisted_modules();
+
+	if (module_blacklist) {
+		size_t len;
+
+		for (const char *p = module_blacklist; *p; p += len) {
+			len = strcspn(p, ",");
+
+			module_name = kstrndup(p, len, GFP_KERNEL);
+			entry = kzalloc(sizeof(*entry), GFP_KERNEL);
+			if (!module_name || !entry)
+				return -ENOMEM;
+
+			entry->origin = (ORIGIN_USERSPACE | ORIGIN_KERNEL);
+			entry->action = ACTION_DENY;
+			entry->module_name = module_name;
+			list_add_tail(&entry->list, loadpol_policy);
+
+			if (p[len] == ',')
+				len++;
+		}
+	}
+
 	for (int i = 0; i < ARRAY_SIZE(default_policy_entries); i++) {
-		struct loadpol_policy_entry *entry = kmemdup(
-			&default_policy_entries[i],
-			sizeof(struct loadpol_policy_entry),
-			GFP_KERNEL
-		);
+		entry = kmemdup(&default_policy_entries[i],
+				sizeof(struct loadpol_policy_entry),
+				GFP_KERNEL);
 		if (!entry)
 			return -ENOMEM;
 
-- 
2.49.0




More information about the Linux-security-module-archive mailing list