mirror of
https://github.com/nxp-imx/linux-imx.git
synced 2025-07-13 04:39:36 +02:00
ANDROID: Improve module loader checks for GKI symbol protection
* Deny loading of unsigned modules which use protected vmlinux
symbols.
* Optimize symbols resolution for unsigned modules by avoiding
searching for symbols exported by other unsigned modules in the list
of unprotected symbols.
Bug: 343540599
Change-Id: I64bc03ad9e37ec7e85be2099d0132966ffe1b35b
Signed-off-by: Sid Nayyar <sidnayyar@google.com>
(cherry picked from commit 8faec9ddf1
)
This commit is contained in:
parent
9acf2adaf5
commit
bb064dd1e0
|
@ -1113,6 +1113,8 @@ static const struct kernel_symbol *resolve_symbol(struct module *mod,
|
|||
const char *name,
|
||||
char ownername[])
|
||||
{
|
||||
bool is_vendor_module;
|
||||
bool is_vendor_exported_symbol;
|
||||
struct find_symbol_arg fsa = {
|
||||
.name = name,
|
||||
.gplok = !(mod->taints & (1 << TAINT_PROPRIETARY_MODULE)),
|
||||
|
@ -1150,16 +1152,19 @@ static const struct kernel_symbol *resolve_symbol(struct module *mod,
|
|||
}
|
||||
|
||||
/*
|
||||
* ANDROID: GKI:
|
||||
* In case of an unsigned module symbol resolves only if:
|
||||
* 1. Symbol is in the list of unprotected symbol list OR
|
||||
* 2. If symbol owner is not NULL i.e. owner is another module;
|
||||
* it has to be an unsigned module and not signed GKI module
|
||||
* to protect symbols exported by signed GKI modules.
|
||||
* ANDROID GKI
|
||||
*
|
||||
* Vendor (i.e., unsigned) modules are only permitted to use:
|
||||
*
|
||||
* 1. symbols exported by other vendor (unsigned) modules
|
||||
* 2. unprotected symbols
|
||||
*/
|
||||
if (!mod->sig_ok &&
|
||||
!gki_is_module_unprotected_symbol(name) &&
|
||||
fsa.owner && fsa.owner->sig_ok) {
|
||||
is_vendor_module = !mod->sig_ok;
|
||||
is_vendor_exported_symbol = fsa.owner && !fsa.owner->sig_ok;
|
||||
|
||||
if (is_vendor_module &&
|
||||
!is_vendor_exported_symbol &&
|
||||
!gki_is_module_unprotected_symbol(name)) {
|
||||
fsa.sym = ERR_PTR(-EACCES);
|
||||
goto getname;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user