From: Kirill Tkhai <ktk...@parallels.com> Patchset description:
Port autoloading of netfilter modules functuonality https://jira.sw.ru/browse/PSBM-28910 Signed-off-by: Kirill Tkhai <ktk...@parallels.com> Kirill Tkhai (4): kmod: Move check of VE permitions from __call_usermodehelper_exec() to upper functions kmod: Port autoloading from CT netfilter: Add autoloading of sockopt modules netfilter: Check for permittions while looking for target and match (cherry picked from vz7 commit 6abadc4355f7 ("ve/netfilter: Check for permittions while looking for target and match")) VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> (cherry-picked from vz8 commit 3d0593b5d20d ("ve/netfilter: Check for permittions while looking for target and match")) Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com> --- net/netfilter/x_tables.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 7eb2a98ec410..acb2dda97870 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -172,6 +172,29 @@ xt_unregister_matches(struct xt_match *match, unsigned int n) } EXPORT_SYMBOL(xt_unregister_matches); +/* + * Convert xt_name to module name and check for it's allowed. + * + * xt_name is a module name without prefix. + */ +static bool xt_name_allowed(u8 af, const char *xt_name) +{ + char module_name[MODULE_NAME_LEN] = {'\0'}; + const char *prefix = xt_prefix[af]; + int len = strlen(prefix) + strlen("t_"); + + if (len + strnlen(xt_name, MODULE_NAME_LEN) >= MODULE_NAME_LEN) + return false; + + /* Fallback targets (ipt_standard_target etc) */ + if (strcmp(xt_name, XT_STANDARD_TARGET) == 0 || + strcmp(xt_name, XT_ERROR_TARGET) == 0) + return true; + + sprintf(module_name, "%st_%s", prefix, xt_name); + + return module_payload_allowed(module_name); +} /* * These are weird, but module loading must not be done with mutex @@ -188,6 +211,9 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision) if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN) return ERR_PTR(-EINVAL); + if (!xt_name_allowed(af, name)) + return ERR_PTR(err); + mutex_lock(&xt[af].mutex); list_for_each_entry(m, &xt[af].match, list) { if (strcmp(m->name, name) == 0) { @@ -237,6 +263,9 @@ static struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN) return ERR_PTR(-EINVAL); + if (!xt_name_allowed(af, name)) + return ERR_PTR(err); + mutex_lock(&xt[af].mutex); list_for_each_entry(t, &xt[af].target, list) { if (strcmp(t->name, name) == 0) { -- 2.30.2 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
