This subsection describes the results of the system call review for calls related to kernel modules.
The create_module call may be used to register a name and to reserve kernel memory for a loadable module. The init_module call may be used to load a relocated module image into kernel memory and to run the module's initialization function. The delete_module call may be used to remove modules. These calls are implemented in kernel/module.c. Linux requires CAP_SYS_MODULE to use any of these three calls, and Flask requires the corresponding cap_sys_module permission. No additional controls seem to be necessary for these calls.
The query_module call may be used to obtain information related to loadable modules. The get_kernel_syms call may be used to obtain the kernel and modules symbols. This call is obsoleted by query_module. Linux does not control the use of these two calls. Flask controls should be defined for these calls to control their use.
The kernel module loader (kernel/kmod.c) runs modprobe to automatically load modules when they are requested. The kernel module loader runs as the superuser with all capabilities enabled. The kernel module loader was changed for Flask to run with the kmod initial SID. Otherwise, the Flask controls would be based on the SID of the user process.
Although the Flask controls for module-related calls are straightforward, protection of the kernel module facility requires configuration of the security policy to label and control access to the module object files, the module utilities, the module configuration files, and the kernel path for modprobe. The policy configuration for kernel modules is described in .