{ "id": "e2378f4f-e1bc-4194-a3e3-b14a62a244b3", "created_at": "2026-04-06T00:22:29.509641Z", "updated_at": "2026-04-10T03:29:24.102299Z", "deleted_at": null, "sha1_hash": "471c8a606359c2d5fbc7b27b299a743ab30f2aa5", "title": "[v3] selinux: restrict kernel module loading", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56106, "plain_text": "[v3] selinux: restrict kernel module loading\r\nArchived: 2026-04-05 21:24:32 UTC\r\nMessage ID 1459886787-19858-1-git-send-email-jeffv@google.com (mailing list archive)\r\nState Accepted\r\nHeaders\r\nCommit Message\r\n Utilize existing kernel_read_file hook on kernel module load.\r\nAdd module_load permission to the system class.\r\nEnforces restrictions on kernel module origin when calling the\r\nfinit_module syscall. The hook checks that source type has\r\npermission module_load for the target type.\r\nExample for finit_module:\r\nallow foo bar_file:system module_load;\r\nSimilarly restrictions are enforced on kernel module loading when\r\ncalling the init_module syscall. The hook checks that source\r\ntype has permission module_load with itself as the target object\r\nbecause the kernel module is sourced from the calling process.\r\nExample for init_module:\r\nallow foo foo:system module_load;\r\nSigned-off-by: Jeff Vander Stoep \u003cjeffv@google.com\u003e\r\n---\r\nv2: The target type for init_module changed from SECINITSID_KERNEL\r\nto the same type as the source.\r\nv3: Use inode_security() to ensure inode's label is revalidated.\r\n security/selinux/hooks.c | 46 +++++++++++++++++++++++++++++++++++++\r\n security/selinux/include/classmap.h | 2 +-\r\n 2 files changed, 47 insertions(+), 1 deletion(-)\r\n \r\nComments\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 1 of 8\n\nOn Tuesday, April 05, 2016 01:06:27 PM Jeff Vander Stoep wrote:\r\n\u003e Utilize existing kernel_read_file hook on kernel module load.\r\n\u003e Add module_load permission to the system class.\r\n\u003e\r\n\u003e Enforces restrictions on kernel module origin when calling the\r\n\u003e finit_module syscall. The hook checks that source type has\r\n\u003e permission module_load for the target type.\r\n\u003e Example for finit_module:\r\n\u003e\r\n\u003e allow foo bar_file:system module_load;\r\n\u003e\r\n\u003e Similarly restrictions are enforced on kernel module loading when\r\n\u003e calling the init_module syscall. The hook checks that source\r\n\u003e type has permission module_load with itself as the target object\r\n\u003e because the kernel module is sourced from the calling process.\r\n\u003e Example for init_module:\r\n\u003e\r\n\u003e allow foo foo:system module_load;\r\n\u003e\r\n\u003e Signed-off-by: Jeff Vander Stoep \u003cjeffv@google.com\u003e\r\n\u003e ---\r\n\u003e v2: The target type for init_module changed from SECINITSID_KERNEL\r\n\u003e to the same type as the source.\r\n\u003e v3: Use inode_security() to ensure inode's label is revalidated.\r\nMerged, thanks for your patience. I had to do one minor fixup to resolve a\r\nproblem at compile time, see below.\r\n\u003e diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c\r\n\u003e index 3fa3ca5..231c897 100644\r\n\u003e --- a/security/selinux/hooks.c\r\n\u003e +++ b/security/selinux/hooks.c\r\n...\r\n\u003e +static selinux_kernel_read_file(struct file *file, enum kernel_read_file_id\r\n\u003e id)\r\nYou're missing the return type :) No need to resend, I fixed it when merging\r\nyour patch, see the selinux#next branch.\r\n \r\n\u003e\r\n\u003e You're missing the return type :) No need to resend, I fixed it when\r\n\u003e merging\r\n\u003e your patch, see the selinux#next branch.\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 2 of 8\n\n\u003e\r\nThanks for catching that.\r\n \r\nHello Jeff,\r\nWe are a Wireless Consulting Firm conducting research for a U.S. Health and\r\nHuman Services Grant. We require Secure Mobile Devices. How much is a\r\nlicense for Google Android SELinux and where do i go for the config?\r\nDennis Sherrell\r\nSherrell Consulting\r\nCompany #136601\r\nWireless Security Consultant\r\nCisco Certified Wireless Specialist\r\nDISA Mobile Device Administartor\r\nOn Tue, Apr 5, 2016, 1:33 PM Jeffrey Vander Stoep \u003cjeffv@google.com\u003e wrote:\r\n\u003e You're missing the return type :) No need to resend, I fixed it when\r\n\u003e\u003e merging\r\n\u003e\u003e your patch, see the selinux#next branch.\r\n\u003e\u003e\r\n\u003e\r\n\u003e Thanks for catching that.\r\n\u003e\r\n\u003e _______________________________________________\r\n\u003e Selinux mailing list\r\n\u003e Selinux@tycho.nsa.gov\r\n\u003e To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.\r\n\u003e To get help, send an email containing \"help\" to\r\n\u003e Selinux-request@tycho.nsa.gov.\r\n \r\nOn Apr 6, 2016 03:01, \"Dennis Sherrell\" \u003csherrellconsulting@gmail.com\u003e\r\nwrote:\r\n\u003e\r\n\u003e Hello Jeff,\r\n\u003e\r\n\u003e We are a Wireless Consulting Firm conducting research for a U.S. Health\r\nand Human Services Grant. We require Secure Mobile Devices. How much is a\r\nlicense for Google Android SELinux and where do i go for the config?\r\nIt's all open source in the aosp (Android Open Source Project) project.\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 3 of 8\n\nThere is essentially two paths you can go, Android branding and non Android\r\nbranding. An example of non-Android branded devices would be Amazon's\r\nKindle line or the Silent circle black phone. Also there are popular\r\naftermarket software ROMs based on aosp, like Cyanogenmod.\r\nIf you want branding, then you have to go through Google since they own the\r\nbrand, they have various programs for that. This page might help provide\r\nmore detail: https://source.android.com/compatibility/index.html\r\nThe only parts that are generally not available in the open are the\r\nproprietary drivers that bridge Android to the hardware.\r\nYou can download aosp at https://source.android.com/source/downloading.html\r\n\u003e\r\n\u003e Dennis Sherrell\r\n\u003e Sherrell Consulting\r\n\u003e Company #136601\r\n\u003e Wireless Security Consultant\r\n\u003e Cisco Certified Wireless Specialist\r\n\u003e DISA Mobile Device Administartor\r\n\u003e\r\n\u003e\r\n\u003e On Tue, Apr 5, 2016, 1:33 PM Jeffrey Vander Stoep \u003cjeffv@google.com\u003e\r\nwrote:\r\n\u003e\u003e\u003e\r\n\u003e\u003e\u003e You're missing the return type :) No need to resend, I fixed it when\r\nmerging\r\n\u003e\u003e\u003e your patch, see the selinux#next branch.\r\n\u003e\u003e\r\n\u003e\u003e\r\n\u003e\u003e Thanks for catching that.\r\n\u003e\u003e\r\n\u003e\u003e _______________________________________________\r\n\u003e\u003e Selinux mailing list\r\n\u003e\u003e Selinux@tycho.nsa.gov\r\n\u003e\u003e To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.\r\n\u003e\u003e To get help, send an email containing \"help\" to\r\nSelinux-request@tycho.nsa.gov.\r\n\u003e\r\n\u003e\r\n\u003e _______________________________________________\r\n\u003e Selinux mailing list\r\n\u003e Selinux@tycho.nsa.gov\r\n\u003e To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.\r\n\u003e To get help, send an email containing \"help\" to\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 4 of 8\n\nSelinux-request@tycho.nsa.gov.\r\n \r\nOn Apr 6, 2016 5:42 AM, \"William Roberts\" \u003cbill.c.roberts@gmail.com\u003e wrote:\r\n\u003e\r\n\u003e\r\n\u003e On Apr 6, 2016 03:01, \"Dennis Sherrell\" \u003csherrellconsulting@gmail.com\u003e\r\nwrote:\r\n\u003e \u003e\r\n\u003e \u003e Hello Jeff,\r\n\u003e \u003e\r\n\u003e \u003e We are a Wireless Consulting Firm conducting research for a U.S. Health\r\nand Human Services Grant. We require Secure Mobile Devices. How much is a\r\nlicense for Google Android SELinux and where do i go for the config?\r\n\u003e\r\n\u003e It's all open source in the aosp (Android Open Source Project) project.\r\nThere is essentially two paths you can go, Android branding and non Android\r\nbranding. An example of non-Android branded devices would be Amazon's\r\nKindle line or the Silent circle black phone. Also there are popular\r\naftermarket software ROMs based on aosp, like Cyanogenmod.\r\n\u003e\r\n\u003e If you want branding, then you have to go through Google since they own\r\nthe brand, they have various programs for that. This page might help\r\nprovide more detail: https://source.android.com/compatibility/index.html\r\n\u003e\r\n\u003e The only parts that are generally not available in the open are the\r\nproprietary drivers that bridge Android to the hardware.\r\n\u003e\r\n\u003e You can download aosp at\r\nhttps://source.android.com/source/downloading.html\r\n\u003e\r\nFYI This question is off topic to the thread and mailing list. In the\r\nfuture post a new topic to the seandroid mailing list.\r\n\u003e \u003e\r\n\u003e \u003e Dennis Sherrell\r\n\u003e \u003e Sherrell Consulting\r\n\u003e \u003e Company #136601\r\n\u003e \u003e Wireless Security Consultant\r\n\u003e \u003e Cisco Certified Wireless Specialist\r\n\u003e \u003e DISA Mobile Device Administartor\r\n\u003e \u003e\r\n\u003e \u003e\r\n\u003e \u003e On Tue, Apr 5, 2016, 1:33 PM Jeffrey Vander Stoep \u003cjeffv@google.com\u003e\r\nwrote:\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 5 of 8\n\n\u003e \u003e\u003e\u003e\r\n\u003e \u003e\u003e\u003e You're missing the return type :) No need to resend, I fixed it when\r\nmerging\r\n\u003e \u003e\u003e\u003e your patch, see the selinux#next branch.\r\n\u003e \u003e\u003e\r\n\u003e \u003e\u003e\r\n\u003e \u003e\u003e Thanks for catching that.\r\n\u003e \u003e\u003e\r\n\u003e \u003e\u003e _______________________________________________\r\n\u003e \u003e\u003e Selinux mailing list\r\n\u003e \u003e\u003e Selinux@tycho.nsa.gov\r\n\u003e \u003e\u003e To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.\r\n\u003e \u003e\u003e To get help, send an email containing \"help\" to\r\nSelinux-request@tycho.nsa.gov.\r\n\u003e \u003e\r\n\u003e \u003e\r\n\u003e \u003e _______________________________________________\r\n\u003e \u003e Selinux mailing list\r\n\u003e \u003e Selinux@tycho.nsa.gov\r\n\u003e \u003e To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.\r\n\u003e \u003e To get help, send an email containing \"help\" to\r\nSelinux-request@tycho.nsa.gov.\r\n \r\n@@ -3719,6 +3719,51 @@ static int selinux_kernel_module_request(char *kmod_name)\r\n SYSTEM__MODULE_REQUEST, \u0026ad);\r\n }\r\n \r\n+static int selinux_kernel_module_from_file(struct file *file)\r\n+{\r\n+ struct common_audit_data ad;\r\n+ struct inode_security_struct *isec;\r\n+ struct file_security_struct *fsec;\r\n+ u32 sid = current_sid();\r\n+ int rc;\r\n+\r\n+ /* init_module */\r\n+ if (file == NULL)\r\n+ return avc_has_perm(sid, sid, SECCLASS_SYSTEM,\r\n+ SYSTEM__MODULE_LOAD, NULL);\r\n+\r\n+ /* finit_module */\r\n+ ad.type = LSM_AUDIT_DATA_PATH;\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 6 of 8\n\n+ ad.u.path = file-\u003ef_path;\r\n+\r\n+ isec = inode_security(file_inode(file));\r\n+ fsec = file-\u003ef_security;\r\n+\r\n+ if (sid != fsec-\u003esid) {\r\n+ rc = avc_has_perm(sid, fsec-\u003esid, SECCLASS_FD, FD__USE, \u0026ad);\r\n+ if (rc)\r\n+ return rc;\r\n+ }\r\n+\r\n+ return avc_has_perm(sid, isec-\u003esid, SECCLASS_SYSTEM,\r\n+ SYSTEM__MODULE_LOAD, \u0026ad);\r\n+}\r\n+\r\n+static selinux_kernel_read_file(struct file *file, enum kernel_read_file_id id)\r\n+{\r\n+ int rc = 0;\r\n+\r\n+ switch (id) {\r\n+ case READING_MODULE:\r\n+ rc = selinux_kernel_module_from_file(file);\r\n+ break;\r\n+ default:\r\n+ break;\r\n+ }\r\n+\r\n+ return rc;\r\n+}\r\n+\r\n static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)\r\n {\r\n return current_has_perm(p, PROCESS__SETPGID);\r\n@@ -6022,6 +6067,7 @@ static struct security_hook_list selinux_hooks[] = {\r\n LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),\r\n LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),\r\n LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),\r\n+ LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),\r\n LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),\r\n LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),\r\n LSM_HOOK_INIT(task_getsid, selinux_task_getsid),\r\n@@ -32,7 +32,7 @@ struct security_class_mapping secclass_map[] = {\r\n \"setsockcreate\", NULL } },\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 7 of 8\n\n{ \"system\",\r\n { \"ipc_info\", \"syslog_read\", \"syslog_mod\",\r\n- \"syslog_console\", \"module_request\", NULL } },\r\n+ \"syslog_console\", \"module_request\", \"module_load\", NULL } },\r\n { \"capability\",\r\n { \"chown\", \"dac_override\", \"dac_read_search\",\r\n \"fowner\", \"fsetid\", \"kill\", \"setgid\", \"setuid\", \"setpcap\",\r\n \r\nSource: https://patchwork.kernel.org/patch/8754821/\r\nhttps://patchwork.kernel.org/patch/8754821/\r\nPage 8 of 8\n\nsecurity/selinux/hooks.c security/selinux/include/classmap.h | | 46 +++++++++++++++++++++++++++++++++++++ 2 +- \n2 files changed, 47 insertions(+), 1 deletion(-) \nComments \n Page 1 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://patchwork.kernel.org/patch/8754821/" ], "report_names": [ "8754821" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434949, "ts_updated_at": 1775791764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/471c8a606359c2d5fbc7b27b299a743ab30f2aa5.pdf", "text": "https://archive.orkl.eu/471c8a606359c2d5fbc7b27b299a743ab30f2aa5.txt", "img": "https://archive.orkl.eu/471c8a606359c2d5fbc7b27b299a743ab30f2aa5.jpg" } }