tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules
+16
-5
+3
include/linux/netdevice.h
+3
include/linux/netdevice.h
···
2392
2392
extern int netdev_info(const struct net_device *dev, const char *format, ...)
2393
2393
__attribute__ ((format (printf, 2, 3)));
2394
2394
2395
+
#define MODULE_ALIAS_NETDEV(device) \
2396
+
MODULE_ALIAS("netdev-" device)
2397
+
2395
2398
#if defined(DEBUG)
2396
2399
#define netdev_dbg(__dev, format, args...) \
2397
2400
netdev_printk(KERN_DEBUG, __dev, format, ##args)
+10
-2
net/core/dev.c
+10
-2
net/core/dev.c
···
1114
1114
void dev_load(struct net *net, const char *name)
1115
1115
{
1116
1116
struct net_device *dev;
1117
+
int no_module;
1117
1118
1118
1119
rcu_read_lock();
1119
1120
dev = dev_get_by_name_rcu(net, name);
1120
1121
rcu_read_unlock();
1121
1122
1122
-
if (!dev && capable(CAP_NET_ADMIN))
1123
-
request_module("%s", name);
1123
+
no_module = !dev;
1124
+
if (no_module && capable(CAP_NET_ADMIN))
1125
+
no_module = request_module("netdev-%s", name);
1126
+
if (no_module && capable(CAP_SYS_MODULE)) {
1127
+
if (!request_module("%s", name))
1128
+
pr_err("Loading kernel module for a network device "
1129
+
"with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
1130
+
"instead\n", name);
1131
+
}
1124
1132
}
1125
1133
EXPORT_SYMBOL(dev_load);
1126
1134
+1
-1
net/ipv4/ip_gre.c
+1
-1
net/ipv4/ip_gre.c
+1
-1
net/ipv4/ipip.c
+1
-1
net/ipv4/ipip.c