From: Konstantin Khorenko <khore...@virtuozzo.com> Introduce "kernel.ve_allow_module_load" sysctl to allow (1) / deny (0) indorect kernel modules load upon requests from inside Containers.
Indirect modules "autoload" set enabled by default. https://jira.sw.ru/browse/PSBM-127787 Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> --- include/linux/sysctl.h | 2 ++ kernel/kmod.c | 11 +++++++---- kernel/sysctl.c | 16 ++++++++++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index 3c59f962f3f6..83ac52e15c73 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -187,6 +187,8 @@ struct ctl_path { extern int trusted_exec; +extern int ve_allow_module_load; + #ifdef CONFIG_SYSCTL void proc_sys_poll_notify(struct ctl_table_poll *poll); diff --git a/kernel/kmod.c b/kernel/kmod.c index a5959c0ecdc2..2f9afc601d20 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -25,6 +25,8 @@ #include <linux/ptrace.h> #include <linux/async.h> #include <linux/uaccess.h> +#include <linux/ve.h> +#include <linux/sysctl.h> #include <trace/events/module.h> @@ -127,10 +129,6 @@ int __request_module(bool wait, const char *fmt, ...) char module_name[MODULE_NAME_LEN]; int ret; - /* Don't allow request_module() inside VE. */ - if (!ve_is_super(get_exec_env())) - return -EPERM; - /* * We don't allow synchronous module loading from async. Module * init may invoke async_synchronize_full() which will end up @@ -148,6 +146,11 @@ int __request_module(bool wait, const char *fmt, ...) if (ret >= MODULE_NAME_LEN) return -ENAMETOOLONG; + /* Check that autoload is not prohibited using /proc interface */ + if (!ve_is_super(get_exec_env()) && + !ve_allow_module_load) + return -EPERM; + ret = security_kernel_module_request(module_name); if (ret) return ret; diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 49656fd84639..53090d656dec 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -117,12 +117,17 @@ static int __init set_trusted_exec(char *str) } __setup("trusted_exec", set_trusted_exec); +int ve_allow_module_load = 1; +EXPORT_SYMBOL(ve_allow_module_load); + /* Constants used for minimum and maximum */ #ifdef CONFIG_LOCKUP_DETECTOR static int sixty = 60; #endif static int __maybe_unused neg_one = -1; +static int __maybe_unused zero = 0; +static int __maybe_unused one = 1; static int __maybe_unused two = 2; static int __maybe_unused four = 4; static unsigned long zero_ul; @@ -2362,6 +2367,17 @@ static struct ctl_table kern_table[] = { .extra1 = SYSCTL_ZERO, .extra2 = &two, }, +#endif +#ifdef CONFIG_VE + { + .procname = "ve_allow_module_load", + .data = &ve_allow_module_load, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, + }, #endif { .procname = "ngroups_max", _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
