Created
May 24, 2017 12:50
-
-
Save tixxdz/e936ebadf74f4a40a9cca270068225b8 to your computer and use it in GitHub Desktop.
Patch for may_autoload_module()
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-int may_autoload_module(struct task_struct *task, char *kmod_name, int allow_cap) | |
+int may_autoload_module(struct task_struct *task, char *kmod_name, | |
+ int require_cap, char *prefix) | |
{ | |
- unsigned int autoload = max_t(unsigned int, modules_autoload_mode, | |
- task->modules_autoload_mode); | |
+ unsigned int autoload; | |
+ bool module_require_cap = false; | |
- if (autoload == MODULES_AUTOLOAD_ALLOWED) | |
- return 0; | |
- else if (autoload == MODULES_AUTOLOAD_PRIVILEGED) { | |
- /* Check CAP_SYS_MODULE then allow_cap if valid */ | |
- if (capable(CAP_SYS_MODULE) || | |
- (allow_cap > 0 && capable(allow_cap))) | |
- return 0; | |
+ if (require_cap > 0) { | |
+ if (prefix == NULL || *prefix == '\0') | |
+ return -EPERM; | |
+ | |
+ /* | |
+ * We only allow CAP_SYS_MODULE or CAP_NET_ADMIN for | |
+ * 'netdev-%s' modules for backward compatibility | |
+ */ | |
+ if (require_cap == CAP_SYS_MODULE || | |
+ require_cap == CAP_NET_ADMIN) | |
+ module_require_cap = true; | |
+ else | |
+ return -EPERM; | |
} | |
- /* MODULES_AUTOLOAD_DISABLED or not enough caps */ | |
+ | |
+ /* | |
+ * We only allow CAP_SYS_MODULE or CAP_NET_ADMIN for | |
+ * 'netdev-%s' modules for backward compatibility | |
+ */ | |
+ if (require_cap == CAP_SYS_MODULE || | |
+ require_cap == CAP_NET_ADMIN) | |
+ module_require_cap = true; | |
+ else | |
+ return -EPERM; | |
} | |
- /* MODULES_AUTOLOAD_DISABLED or not enough caps */ | |
+ /* Get max value of sysctl and task "modules_autoload_mode" */ | |
+ autoload = max_t(unsigned int, modules_autoload_mode, | |
+ task->modules_autoload_mode); | |
+ | |
+ /* | |
+ * If autoload is disabled then fail here and not bother at all | |
+ */ | |
+ if (autoload == MODULES_AUTOLOAD_DISABLED) | |
+ return -EPERM; | |
+ | |
+ /* | |
+ * If caller require capabilities then we may not allow | |
+ * automatic module loading. We should not bypass callers. | |
+ * | |
+ * This allows to support networking code that uses CAP_NET_ADMIN | |
+ * for some aliased 'netdev-%s' modules. | |
+ * | |
+ * Explicitly perform the check here. | |
+ */ | |
+ if (module_require_cap && capable(require_cap)) | |
+ return 0; | |
+ | |
+ if (autoload == MODULES_AUTOLOAD_PRIVILGED) { | |
+ if (capable(CAP_SYS_MODULE)) | |
+ return 0; | |
+ } else if (autoload == MODULES_AUTOLOAD_ALLOWED) | |
+ return 0; | |
+ | |
return -EPERM; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment