rpms/kernel/F-12 linux-2.6-selinux-module-load-perms.patch, NONE, 1.1 kernel.spec, 1.1809, 1.1810
Eric Paris
eparis at fedoraproject.org
Wed Sep 16 19:58:23 UTC 2009
Author: eparis
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14436
Modified Files:
kernel.spec
Added Files:
linux-2.6-selinux-module-load-perms.patch
Log Message:
* Wed Sep 16 2009 Eric Paris <eparis at redhat.com>
- Do not check CAP_SYS_MODULE when networking tres to autoload a module
linux-2.6-selinux-module-load-perms.patch:
drivers/staging/comedi/comedi_fops.c | 8 ++++----
include/linux/security.h | 10 ++++++++++
kernel/kmod.c | 4 ++++
net/core/dev.c | 2 +-
net/ipv4/tcp_cong.c | 4 ++--
security/capability.c | 6 ++++++
security/security.c | 5 +++++
security/selinux/hooks.c | 6 ++++++
security/selinux/include/av_perm_to_string.h | 1 +
security/selinux/include/av_permissions.h | 1 +
10 files changed, 40 insertions(+), 7 deletions(-)
--- NEW FILE linux-2.6-selinux-module-load-perms.patch ---
diff -up linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c.pre.module linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c
--- linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c.pre.module 2009-09-14 14:02:56.726491957 -0400
+++ linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c 2009-09-14 14:03:30.035571987 -0400
@@ -1752,12 +1752,12 @@ static int comedi_open(struct inode *ino
mutex_lock(&dev->mutex);
if (dev->attached)
goto ok;
- if (!capable(CAP_SYS_MODULE) && dev->in_request_module) {
+ if (!capable(CAP_NET_ADMIN) && dev->in_request_module) {
DPRINTK("in request module\n");
mutex_unlock(&dev->mutex);
return -ENODEV;
}
- if (capable(CAP_SYS_MODULE) && dev->in_request_module)
+ if (capable(CAP_NET_ADMIN) && dev->in_request_module)
goto ok;
dev->in_request_module = 1;
@@ -1770,8 +1770,8 @@ static int comedi_open(struct inode *ino
dev->in_request_module = 0;
- if (!dev->attached && !capable(CAP_SYS_MODULE)) {
- DPRINTK("not attached and not CAP_SYS_MODULE\n");
+ if (!dev->attached && !capable(CAP_NET_ADMIN)) {
+ DPRINTK("not attached and not CAP_NET_ADMIN\n");
mutex_unlock(&dev->mutex);
return -ENODEV;
}
diff -up linux-2.6.31.x86_64/include/linux/security.h.pre.module linux-2.6.31.x86_64/include/linux/security.h
--- linux-2.6.31.x86_64/include/linux/security.h.pre.module 2009-09-14 14:01:55.018199730 -0400
+++ linux-2.6.31.x86_64/include/linux/security.h 2009-09-14 14:03:35.710454710 -0400
@@ -678,6 +678,9 @@ static inline void security_free_mnt_opt
* @inode points to the inode to use as a reference.
* The current task must be the one that nominated @inode.
* Return 0 if successful.
+ * @kernel_module_request:
+ * Ability to trigger the kernel to automatically upcall to userspace for
+ * userspace to load a kernel module with the given name.
* @task_setuid:
* Check permission before setting one or more of the user identity
* attributes of the current process. The @flags parameter indicates
@@ -1489,6 +1492,7 @@ struct security_operations {
void (*cred_commit)(struct cred *new, const struct cred *old);
int (*kernel_act_as)(struct cred *new, u32 secid);
int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
+ int (*kernel_module_request)(void);
int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
int (*task_fix_setuid) (struct cred *new, const struct cred *old,
int flags);
@@ -1741,6 +1745,7 @@ int security_prepare_creds(struct cred *
void security_commit_creds(struct cred *new, const struct cred *old);
int security_kernel_act_as(struct cred *new, u32 secid);
int security_kernel_create_files_as(struct cred *new, struct inode *inode);
+int security_kernel_module_request(void);
int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags);
@@ -2292,6 +2297,11 @@ static inline int security_kernel_create
return 0;
}
+static inline int security_kernel_module_request(void)
+{
+ return 0;
+}
+
static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2,
int flags)
{
diff -up linux-2.6.31.x86_64/kernel/kmod.c.pre.module linux-2.6.31.x86_64/kernel/kmod.c
--- linux-2.6.31.x86_64/kernel/kmod.c.pre.module 2009-09-14 14:02:04.516942256 -0400
+++ linux-2.6.31.x86_64/kernel/kmod.c 2009-09-14 14:03:35.716407772 -0400
@@ -78,6 +78,10 @@ int __request_module(bool wait, const ch
#define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
static int kmod_loop_msg;
+ ret = security_kernel_module_request();
+ if (ret)
+ return ret;
+
va_start(args, fmt);
ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
va_end(args);
diff -up linux-2.6.31.x86_64/net/core/dev.c.pre.module linux-2.6.31.x86_64/net/core/dev.c
--- linux-2.6.31.x86_64/net/core/dev.c.pre.module 2009-09-14 14:03:03.826314426 -0400
+++ linux-2.6.31.x86_64/net/core/dev.c 2009-09-14 14:03:30.044573421 -0400
@@ -1031,7 +1031,7 @@ void dev_load(struct net *net, const cha
dev = __dev_get_by_name(net, name);
read_unlock(&dev_base_lock);
- if (!dev && capable(CAP_SYS_MODULE))
+ if (!dev && capable(CAP_NET_ADMIN))
request_module("%s", name);
}
diff -up linux-2.6.31.x86_64/net/ipv4/tcp_cong.c.pre.module linux-2.6.31.x86_64/net/ipv4/tcp_cong.c
--- linux-2.6.31.x86_64/net/ipv4/tcp_cong.c.pre.module 2009-09-14 14:03:09.495142463 -0400
+++ linux-2.6.31.x86_64/net/ipv4/tcp_cong.c 2009-09-14 14:03:30.054565116 -0400
@@ -116,7 +116,7 @@ int tcp_set_default_congestion_control(c
spin_lock(&tcp_cong_list_lock);
ca = tcp_ca_find(name);
#ifdef CONFIG_MODULES
- if (!ca && capable(CAP_SYS_MODULE)) {
+ if (!ca && capable(CAP_NET_ADMIN)) {
spin_unlock(&tcp_cong_list_lock);
request_module("tcp_%s", name);
@@ -246,7 +246,7 @@ int tcp_set_congestion_control(struct so
#ifdef CONFIG_MODULES
/* not found attempt to autoload module */
- if (!ca && capable(CAP_SYS_MODULE)) {
+ if (!ca && capable(CAP_NET_ADMIN)) {
rcu_read_unlock();
request_module("tcp_%s", name);
rcu_read_lock();
diff -up linux-2.6.31.x86_64/security/capability.c.pre.module linux-2.6.31.x86_64/security/capability.c
--- linux-2.6.31.x86_64/security/capability.c.pre.module 2009-09-14 14:02:11.009778206 -0400
+++ linux-2.6.31.x86_64/security/capability.c 2009-09-14 14:03:35.718408863 -0400
@@ -396,6 +396,11 @@ static int cap_kernel_create_files_as(st
return 0;
}
+static int cap_kernel_module_request(void)
+{
+ return 0;
+}
+
static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{
return 0;
@@ -945,6 +950,7 @@ void security_fixup_ops(struct security_
set_to_cap_if_null(ops, cred_commit);
set_to_cap_if_null(ops, kernel_act_as);
set_to_cap_if_null(ops, kernel_create_files_as);
+ set_to_cap_if_null(ops, kernel_module_request);
set_to_cap_if_null(ops, task_setuid);
set_to_cap_if_null(ops, task_fix_setuid);
set_to_cap_if_null(ops, task_setgid);
diff -up linux-2.6.31.x86_64/security/security.c.pre.module linux-2.6.31.x86_64/security/security.c
--- linux-2.6.31.x86_64/security/security.c.pre.module 2009-09-14 14:02:17.341611595 -0400
+++ linux-2.6.31.x86_64/security/security.c 2009-09-14 14:03:35.720408600 -0400
@@ -709,6 +709,11 @@ int security_kernel_create_files_as(stru
return security_ops->kernel_create_files_as(new, inode);
}
+int security_kernel_module_request(void)
+{
+ return security_ops->kernel_module_request();
+}
+
int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
{
return security_ops->task_setuid(id0, id1, id2, flags);
diff -up linux-2.6.31.x86_64/security/selinux/hooks.c.pre.module linux-2.6.31.x86_64/security/selinux/hooks.c
--- linux-2.6.31.x86_64/security/selinux/hooks.c.pre.module 2009-09-14 14:02:24.072199503 -0400
+++ linux-2.6.31.x86_64/security/selinux/hooks.c 2009-09-14 14:03:39.017312134 -0400
@@ -3292,6 +3292,11 @@ static int selinux_kernel_create_files_a
return 0;
}
+static int selinux_kernel_module_request(void)
+{
+ return task_has_system(current, SYSTEM__MODULE_REQUEST);
+}
+
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
{
return current_has_perm(p, PROCESS__SETPGID);
@@ -5400,6 +5405,7 @@ static struct security_operations selinu
.cred_prepare = selinux_cred_prepare,
.kernel_act_as = selinux_kernel_act_as,
.kernel_create_files_as = selinux_kernel_create_files_as,
+ .kernel_module_request = selinux_kernel_module_request,
.task_setpgid = selinux_task_setpgid,
.task_getpgid = selinux_task_getpgid,
.task_getsid = selinux_task_getsid,
diff -up linux-2.6.31.x86_64/security/selinux/include/av_permissions.h.pre.module linux-2.6.31.x86_64/security/selinux/include/av_permissions.h
--- linux-2.6.31.x86_64/security/selinux/include/av_permissions.h.pre.module 2009-09-14 14:02:48.685714616 -0400
+++ linux-2.6.31.x86_64/security/selinux/include/av_permissions.h 2009-09-14 14:03:39.022321676 -0400
@@ -508,6 +508,7 @@
#define SYSTEM__SYSLOG_READ 0x00000002UL
#define SYSTEM__SYSLOG_MOD 0x00000004UL
#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL
+#define SYSTEM__MODULE_REQUEST 0x00000010UL
#define CAPABILITY__CHOWN 0x00000001UL
#define CAPABILITY__DAC_OVERRIDE 0x00000002UL
#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL
diff -up linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h.pre.module linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h
--- linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h.pre.module 2009-09-14 14:02:37.563058003 -0400
+++ linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h 2009-09-14 14:03:39.019310239 -0400
@@ -107,6 +107,7 @@
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
+ S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1809
retrieving revision 1.1810
diff -u -p -r1.1809 -r1.1810
--- kernel.spec 16 Sep 2009 19:43:47 -0000 1.1809
+++ kernel.spec 16 Sep 2009 19:58:23 -0000 1.1810
@@ -740,6 +740,7 @@ Patch12010: linux-2.6-dell-laptop-rfkill
Patch12011: linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
Patch12012: linux-2.6-rtc-show-hctosys.patch
Patch12013: linux-2.6-rfkill-all.patch
+Patch12014: linux-2.6-selinux-module-load-perms.patch
# patches headed for -stable
@@ -1388,6 +1389,7 @@ ApplyPatch v4l-dvb-fix-cx25840-firmware-
# Patches headed upstream
ApplyPatch linux-2.6-rtc-show-hctosys.patch
ApplyPatch linux-2.6-rfkill-all.patch
+ApplyPatch linux-2.6-selinux-module-load-perms.patch
# patches headed for -stable
@@ -2053,6 +2055,9 @@ fi
# and build.
%changelog
+* Wed Sep 16 2009 Eric Paris <eparis at redhat.com>
+- Do not check CAP_SYS_MODULE when networking tres to autoload a module
+
* Wed Sep 16 2009 John W. Linville <linville at redhat.com>
- Add iwl1000 support patches.
More information about the fedora-extras-commits
mailing list