• Dmitry Torokhov's avatar
    module: add in-kernel support for decompressing · b1ae6dc4
    Dmitry Torokhov authored
    Current scheme of having userspace decompress kernel modules before
    loading them into the kernel runs afoul of LoadPin security policy, as
    it loses link between the source of kernel module on the disk and binary
    blob that is being loaded into the kernel. To solve this issue let's
    implement decompression in kernel, so that we can pass a file descriptor
    of compressed module file into finit_module() which will keep LoadPin
    happy.
    
    To let userspace know what compression/decompression scheme kernel
    supports it will create /sys/module/compression attribute. kmod can read
    this attribute and decide if it can pass compressed file to
    finit_module(). New MODULE_INIT_COMPRESSED_DATA flag indicates that the
    kernel should attempt to decompress the data read from file descriptor
    prior to trying load the module.
    
    To simplify things kernel will only implement single decompression
    method matching compression method selected when generating modules.
    This patch implements gzip and xz; more can be added later,
    Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
    b1ae6dc4
module.c 122 KB