On Fri Jun 5, 2026 at 8:30 PM CEST, Sami Tolvanen wrote: > On Fri, May 15, 2026 at 07:20:20PM +0200, Michal Gorlas wrote: >> Restrict module auto-loading to CAP_SYS_ADMIN if >> CONFIG_MODULE_RESTRICT_AUTOLOAD is enabled, cmdline parameter >> modrestrict=true, or kernel.modrestrict=1 is set with sysctl. >> >> Signed-off-by: Michal Gorlas <[email protected]> >> --- >> kernel/module/internal.h | 1 + >> kernel/module/kmod.c | 5 +++++ >> kernel/module/main.c | 11 +++++++++++ >> 3 files changed, 17 insertions(+) >> >> diff --git a/kernel/module/internal.h b/kernel/module/internal.h >> index 061161cc79d9..496d8703f0c6 100644 >> --- a/kernel/module/internal.h >> +++ b/kernel/module/internal.h >> @@ -46,6 +46,7 @@ struct kernel_symbol { >> >> extern struct mutex module_mutex; >> extern struct list_head modules; >> +extern bool module_autoload_restrict; >> >> extern const struct module_attribute *const modinfo_attrs[]; >> extern const size_t modinfo_attrs_count; >> diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c >> index a25dccdf7aa7..58b28c23f571 100644 >> --- a/kernel/module/kmod.c >> +++ b/kernel/module/kmod.c >> @@ -156,6 +156,11 @@ int __request_module(bool wait, const char *fmt, ...) >> if (ret) >> return ret; >> >> + if (module_autoload_restrict && !capable(CAP_SYS_ADMIN)) { >> + pr_alert("denied attempt to auto-load module %s\n", >> module_name); > > Is pr_alert appropriate here or can this be a warning? Also, use the > _ratelimited > variant like the pre-existing warning in this function.
pr_alert was here in the grsec version (thus I assumed it makes sense here), but agree, pr_warn_ratelimited makes more sense. Best, Michal
