Created
May 24, 2017 13:59
-
-
Save tixxdz/b354038c3be7e596813be81f0d7ba6b4 to your computer and use it in GitHub Desktop.
Module: may autoload module function patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
+int may_autoload_module(struct task_struct *task, char *kmod_name, | |
+ int require_cap, char *prefix) | |
+{ | |
+ unsigned int autoload; | |
+ int module_require_cap = 0; | |
+ | |
+ if (require_cap > 0) { | |
+ if (prefix == NULL || *prefix == '\0') | |
+ return -EPERM; | |
+ | |
+ /* | |
+ * We only allow CAP_SYS_MODULE or CAP_NET_ADMIN for | |
+ * 'netdev-%s' modules for backward compatibility. | |
+ * Please do not overload capabilities. | |
+ */ | |
+ if (require_cap == CAP_SYS_MODULE || | |
+ require_cap == CAP_NET_ADMIN) | |
+ module_require_cap = require_cap; | |
+ else | |
+ return -EPERM; | |
+ } | |
+ | |
+ /* Get max value of sysctl and task "modules_autoload_mode" */ | |
+ autoload = max_t(unsigned int, modules_autoload_mode, | |
+ task->modules_autoload_mode); | |
+ | |
+ /* | |
+ * If autoload is disabled then fail here and not bother at all | |
+ */ | |
+ if (autoload == MODULES_AUTOLOAD_DISABLED) | |
+ return -EPERM; | |
+ | |
+ /* | |
+ * If caller require capabilities then we may not allow | |
+ * automatic module loading. We should not bypass callers. | |
+ * This allows to support networking code that uses CAP_NET_ADMIN | |
+ * for some aliased 'netdev-%s' modules. | |
+ * | |
+ * Explicitly bump autoload here if necessary | |
+ */ | |
+ if (module_require_cap && autoload == MODULES_AUTOLOAD_ALLOWED) | |
+ autoload = MODULES_AUTOLOAD_PRIVILEGED; | |
+ | |
+ if (autoload == MODULES_AUTOLOAD_ALLOWED) | |
+ return 0; | |
+ else if(autoload == MODULES_AUTOLOAD_PRIVILEGED) { | |
+ /* | |
+ * If module auto-load is a privileged operation then check | |
+ * if capabilities are set. | |
+ */ | |
+ if (capable(CAP_SYS_MODULE) || | |
+ (module_require_cap && capable(module_require_cap))) | |
+ return 0; | |
+ } | |
+ | |
+ return -EPERM; | |
+} | |
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment