[Devel] [PATCH RH9 02/20] ve/kmod/whitelist: Infrustructure for list of modules to autoload from CT

Fri, 08 Oct 2021 06:53:32 -0700 

From: Konstantin Khorenko <khore...@virtuozzo.com>

https://jira.sw.ru/browse/PSBM-127787

It's a port of following vz7 commits:
 * 3a4142e      ("ve/kmod: Port autoloading from CT") (partially)
 * 8af13e7c     ("ve/kmod: list of allowed to autoload in CT modules")
                (partially)
Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com>
---
 include/linux/kmod.h |    5 +++++
 kernel/kmod.c        |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/include/linux/kmod.h b/include/linux/kmod.h
index 68f69362d427..d9b8dd81f595 100644
--- a/include/linux/kmod.h
+++ b/include/linux/kmod.h
@@ -32,4 +32,9 @@ static inline int request_module_nowait(const char *name, 
...) { return -ENOSYS;
 #define try_then_request_module(x, mod...) (x)
 #endif
 
+#ifdef CONFIG_VE
+extern bool module_payload_allowed(const char *module);
+#else
+static inline bool module_payload_allowed(const char *module) { return true; }
+#endif
 #endif /* __LINUX_KMOD_H__ */
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 2f9afc601d20..c8506fd92017 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -151,6 +151,10 @@ int __request_module(bool wait, const char *fmt, ...)
            !ve_allow_module_load)
                return -EPERM;
 
+       /* Check that module functionality is permitted */
+       if (!module_payload_allowed(module_name))
+               return -EPERM;
+
        ret = security_kernel_module_request(module_name);
        if (ret)
                return ret;
@@ -182,3 +186,32 @@ int __request_module(bool wait, const char *fmt, ...)
        return ret;
 }
 EXPORT_SYMBOL(__request_module);
+
+#ifdef CONFIG_VE
+
+/* ve0 allowed modules */
+static const char * const ve0_allowed_mod[] = {
+};
+
+/*
+ * module_payload_allowed - check if module functionality is allowed
+ *                         to be used inside current virtual environment.
+ *
+ * Returns true if it is allowed or we're in ve0, false otherwise.
+ */
+bool module_payload_allowed(const char *module)
+{
+       int i;
+
+       if (ve_is_super(get_exec_env()))
+               return true;
+
+       /* Look for full module name in ve0_allowed_mod table */
+       for (i = 0; i < ARRAY_SIZE(ve0_allowed_mod); i++) {
+               if (!strcmp(ve0_allowed_mod[i], module))
+                       return true;
+       }
+
+       return false;
+}
+#endif /* CONFIG_VE */


_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to