diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-09 19:45:02 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-09 19:45:02 -0500 |
commit | ab02a9540541dd7b2012f32f5e311c3cbd772387 (patch) | |
tree | 47b2795e160b0f095840ded0bb7f4c7af237eb41 | |
parent | 684adca4f84365ca327e06dba696b62de7a79eca (diff) | |
parent | 8909c9ad8ff03611c9c96c9a92656213e4bb495b (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules
-rw-r--r-- | include/linux/netdevice.h | 3 | ||||
-rw-r--r-- | net/core/dev.c | 12 | ||||
-rw-r--r-- | net/ipv4/ip_gre.c | 2 | ||||
-rw-r--r-- | net/ipv4/ipip.c | 2 | ||||
-rw-r--r-- | net/ipv6/sit.c | 2 |
5 files changed, 16 insertions, 5 deletions
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index d971346b0340..71caf7a5e6c6 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h | |||
@@ -2392,6 +2392,9 @@ extern int netdev_notice(const struct net_device *dev, const char *format, ...) | |||
2392 | extern int netdev_info(const struct net_device *dev, const char *format, ...) | 2392 | extern int netdev_info(const struct net_device *dev, const char *format, ...) |
2393 | __attribute__ ((format (printf, 2, 3))); | 2393 | __attribute__ ((format (printf, 2, 3))); |
2394 | 2394 | ||
2395 | #define MODULE_ALIAS_NETDEV(device) \ | ||
2396 | MODULE_ALIAS("netdev-" device) | ||
2397 | |||
2395 | #if defined(DEBUG) | 2398 | #if defined(DEBUG) |
2396 | #define netdev_dbg(__dev, format, args...) \ | 2399 | #define netdev_dbg(__dev, format, args...) \ |
2397 | netdev_printk(KERN_DEBUG, __dev, format, ##args) | 2400 | netdev_printk(KERN_DEBUG, __dev, format, ##args) |
diff --git a/net/core/dev.c b/net/core/dev.c index 8ae6631abcc2..6561021d22d1 100644 --- a/net/core/dev.c +++ b/net/core/dev.c | |||
@@ -1114,13 +1114,21 @@ EXPORT_SYMBOL(netdev_bonding_change); | |||
1114 | void dev_load(struct net *net, const char *name) | 1114 | void dev_load(struct net *net, const char *name) |
1115 | { | 1115 | { |
1116 | struct net_device *dev; | 1116 | struct net_device *dev; |
1117 | int no_module; | ||
1117 | 1118 | ||
1118 | rcu_read_lock(); | 1119 | rcu_read_lock(); |
1119 | dev = dev_get_by_name_rcu(net, name); | 1120 | dev = dev_get_by_name_rcu(net, name); |
1120 | rcu_read_unlock(); | 1121 | rcu_read_unlock(); |
1121 | 1122 | ||
1122 | if (!dev && capable(CAP_NET_ADMIN)) | 1123 | no_module = !dev; |
1123 | request_module("%s", name); | 1124 | if (no_module && capable(CAP_NET_ADMIN)) |
1125 | no_module = request_module("netdev-%s", name); | ||
1126 | if (no_module && capable(CAP_SYS_MODULE)) { | ||
1127 | if (!request_module("%s", name)) | ||
1128 | pr_err("Loading kernel module for a network device " | ||
1129 | "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s " | ||
1130 | "instead\n", name); | ||
1131 | } | ||
1124 | } | 1132 | } |
1125 | EXPORT_SYMBOL(dev_load); | 1133 | EXPORT_SYMBOL(dev_load); |
1126 | 1134 | ||
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 6613edfac28c..d1d0e2c256fc 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c | |||
@@ -1765,4 +1765,4 @@ module_exit(ipgre_fini); | |||
1765 | MODULE_LICENSE("GPL"); | 1765 | MODULE_LICENSE("GPL"); |
1766 | MODULE_ALIAS_RTNL_LINK("gre"); | 1766 | MODULE_ALIAS_RTNL_LINK("gre"); |
1767 | MODULE_ALIAS_RTNL_LINK("gretap"); | 1767 | MODULE_ALIAS_RTNL_LINK("gretap"); |
1768 | MODULE_ALIAS("gre0"); | 1768 | MODULE_ALIAS_NETDEV("gre0"); |
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c index 988f52fba54a..a5f58e7cbb26 100644 --- a/net/ipv4/ipip.c +++ b/net/ipv4/ipip.c | |||
@@ -913,4 +913,4 @@ static void __exit ipip_fini(void) | |||
913 | module_init(ipip_init); | 913 | module_init(ipip_init); |
914 | module_exit(ipip_fini); | 914 | module_exit(ipip_fini); |
915 | MODULE_LICENSE("GPL"); | 915 | MODULE_LICENSE("GPL"); |
916 | MODULE_ALIAS("tunl0"); | 916 | MODULE_ALIAS_NETDEV("tunl0"); |
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 8ce38f10a547..d2c16e10f650 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c | |||
@@ -1290,4 +1290,4 @@ static int __init sit_init(void) | |||
1290 | module_init(sit_init); | 1290 | module_init(sit_init); |
1291 | module_exit(sit_cleanup); | 1291 | module_exit(sit_cleanup); |
1292 | MODULE_LICENSE("GPL"); | 1292 | MODULE_LICENSE("GPL"); |
1293 | MODULE_ALIAS("sit0"); | 1293 | MODULE_ALIAS_NETDEV("sit0"); |