diff options
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/module.c | 7 | ||||
| -rw-r--r-- | kernel/sysctl.c | 12 |
2 files changed, 17 insertions, 2 deletions
diff --git a/kernel/module.c b/kernel/module.c index f77ac320d0b5..eeb3f7b1383c 100644 --- a/kernel/module.c +++ b/kernel/module.c | |||
| @@ -778,6 +778,9 @@ static void wait_for_zero_refcount(struct module *mod) | |||
| 778 | mutex_lock(&module_mutex); | 778 | mutex_lock(&module_mutex); |
| 779 | } | 779 | } |
| 780 | 780 | ||
| 781 | /* Block module loading/unloading? */ | ||
| 782 | int modules_disabled = 0; | ||
| 783 | |||
| 781 | SYSCALL_DEFINE2(delete_module, const char __user *, name_user, | 784 | SYSCALL_DEFINE2(delete_module, const char __user *, name_user, |
| 782 | unsigned int, flags) | 785 | unsigned int, flags) |
| 783 | { | 786 | { |
| @@ -785,7 +788,7 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, | |||
| 785 | char name[MODULE_NAME_LEN]; | 788 | char name[MODULE_NAME_LEN]; |
| 786 | int ret, forced = 0; | 789 | int ret, forced = 0; |
| 787 | 790 | ||
| 788 | if (!capable(CAP_SYS_MODULE)) | 791 | if (!capable(CAP_SYS_MODULE) || modules_disabled) |
| 789 | return -EPERM; | 792 | return -EPERM; |
| 790 | 793 | ||
| 791 | if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) | 794 | if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) |
| @@ -2349,7 +2352,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, | |||
| 2349 | int ret = 0; | 2352 | int ret = 0; |
| 2350 | 2353 | ||
| 2351 | /* Must have permission */ | 2354 | /* Must have permission */ |
| 2352 | if (!capable(CAP_SYS_MODULE)) | 2355 | if (!capable(CAP_SYS_MODULE) || modules_disabled) |
| 2353 | return -EPERM; | 2356 | return -EPERM; |
| 2354 | 2357 | ||
| 2355 | /* Only one module load at a time, please */ | 2358 | /* Only one module load at a time, please */ |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index c5ef44ff850f..2fb4246d27de 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
| @@ -113,6 +113,7 @@ static int ngroups_max = NGROUPS_MAX; | |||
| 113 | 113 | ||
| 114 | #ifdef CONFIG_MODULES | 114 | #ifdef CONFIG_MODULES |
| 115 | extern char modprobe_path[]; | 115 | extern char modprobe_path[]; |
| 116 | extern int modules_disabled; | ||
| 116 | #endif | 117 | #endif |
| 117 | #ifdef CONFIG_CHR_DEV_SG | 118 | #ifdef CONFIG_CHR_DEV_SG |
| 118 | extern int sg_big_buff; | 119 | extern int sg_big_buff; |
| @@ -533,6 +534,17 @@ static struct ctl_table kern_table[] = { | |||
| 533 | .proc_handler = &proc_dostring, | 534 | .proc_handler = &proc_dostring, |
| 534 | .strategy = &sysctl_string, | 535 | .strategy = &sysctl_string, |
| 535 | }, | 536 | }, |
| 537 | { | ||
| 538 | .ctl_name = CTL_UNNUMBERED, | ||
| 539 | .procname = "modules_disabled", | ||
| 540 | .data = &modules_disabled, | ||
| 541 | .maxlen = sizeof(int), | ||
| 542 | .mode = 0644, | ||
| 543 | /* only handle a transition from default "0" to "1" */ | ||
| 544 | .proc_handler = &proc_dointvec_minmax, | ||
| 545 | .extra1 = &one, | ||
| 546 | .extra2 = &one, | ||
| 547 | }, | ||
| 536 | #endif | 548 | #endif |
| 537 | #if defined(CONFIG_HOTPLUG) && defined(CONFIG_NET) | 549 | #if defined(CONFIG_HOTPLUG) && defined(CONFIG_NET) |
| 538 | { | 550 | { |