tixxdz/may_autoload_module_new.patch

## may_autoload_module_new.patch
+int may_autoload_module(struct task_struct *task, char *kmod_name,
+                       int require_cap, char *prefix)
+{
+       unsigned int autoload;
+       int module_require_cap = 0;
+
+       if (require_cap > 0) {
+               if (prefix == NULL || *prefix == '\0')
+                       return -EPERM;
+
+               /*
+                * We only allow CAP_SYS_MODULE or CAP_NET_ADMIN for
+                * 'netdev-%s' modules for backward compatibility.
+                * Please do not overload capabilities.
+                */
+               if (require_cap == CAP_SYS_MODULE ||
+                   require_cap == CAP_NET_ADMIN)
+                       module_require_cap = require_cap;
+               else
+                       return -EPERM;
+       }
+
+       /* Get max value of sysctl and task "modules_autoload_mode" */
+       autoload = max_t(unsigned int, modules_autoload_mode,
+                        task->modules_autoload_mode);
+
+       /*
+        * If autoload is disabled then fail here and not bother at all
+        */
+       if (autoload == MODULES_AUTOLOAD_DISABLED)
+               return -EPERM;
+
+       /*
+        * If caller require capabilities then we may not allow
+        * automatic module loading. We should not bypass callers.
+        * This allows to support networking code that uses CAP_NET_ADMIN
+        * for some aliased 'netdev-%s' modules.
+        *
+        * Explicitly bump autoload here if necessary
+        */
+       if (module_require_cap && autoload == MODULES_AUTOLOAD_ALLOWED)
+               autoload = MODULES_AUTOLOAD_PRIVILEGED;
+
+       if (autoload == MODULES_AUTOLOAD_ALLOWED)
+               return 0;
+       else if(autoload == MODULES_AUTOLOAD_PRIVILEGED) {
+               /*
+                * If module auto-load is a privileged operation then check
+                * if capabilities are set.
+                */
+               if (capable(CAP_SYS_MODULE) ||
+                   (module_require_cap && capable(module_require_cap)))
+                       return 0;
+       }
+
+       return -EPERM;
+}
+
	+int may_autoload_module(struct task_struct task, char kmod_name,
	+ int require_cap, char *prefix)
	+{
	+ unsigned int autoload;
	+ int module_require_cap = 0;
	+
	+ if (require_cap > 0) {
	+ if (prefix == NULL \|\| *prefix == '\0')
	+ return -EPERM;
	+
	+ /*
	+ * We only allow CAP_SYS_MODULE or CAP_NET_ADMIN for
	+ * 'netdev-%s' modules for backward compatibility.
	+ * Please do not overload capabilities.
	+ */
	+ if (require_cap == CAP_SYS_MODULE \|\|
	+ require_cap == CAP_NET_ADMIN)
	+ module_require_cap = require_cap;
	+ else
	+ return -EPERM;
	+ }
	+
	+ /* Get max value of sysctl and task "modules_autoload_mode" */
	+ autoload = max_t(unsigned int, modules_autoload_mode,
	+ task->modules_autoload_mode);
	+
	+ /*
	+ * If autoload is disabled then fail here and not bother at all
	+ */
	+ if (autoload == MODULES_AUTOLOAD_DISABLED)
	+ return -EPERM;
	+
	+ /*
	+ * If caller require capabilities then we may not allow
	+ * automatic module loading. We should not bypass callers.
	+ * This allows to support networking code that uses CAP_NET_ADMIN
	+ * for some aliased 'netdev-%s' modules.
	+ *
	+ * Explicitly bump autoload here if necessary
	+ */
	+ if (module_require_cap && autoload == MODULES_AUTOLOAD_ALLOWED)
	+ autoload = MODULES_AUTOLOAD_PRIVILEGED;
	+
	+ if (autoload == MODULES_AUTOLOAD_ALLOWED)
	+ return 0;
	+ else if(autoload == MODULES_AUTOLOAD_PRIVILEGED) {
	+ /*
	+ * If module auto-load is a privileged operation then check
	+ * if capabilities are set.
	+ */
	+ if (capable(CAP_SYS_MODULE) \|\|
	+ (module_require_cap && capable(module_require_cap)))
	+ return 0;
	+ }
	+
	+ return -EPERM;
	+}
	+