On 15/02/16 21:33, Eric W. Biederman wrote:
Robert Shearman <rshea...@brocade.com> writes:
@@ -85,6 +109,14 @@ int lwtunnel_build_state(struct net_device *dev, u16
encap_type,
ret = -EOPNOTSUPP;
rcu_read_lock();
ops = rcu_dereference(lwtun_encaps[encap_type]);
+#ifdef CONFIG_MODULES
+ if (!ops) {
+ rcu_read_unlock();
+ request_module("rtnl-lwt-%s", lwtunnel_encap_str(encap_type));
+ rcu_read_lock();
+ ops = rcu_dereference(lwtun_encaps[encap_type]);
+ }
+#endif
if (likely(ops && ops->build_state))
ret = ops->build_state(dev, encap, family, cfg, lws);
rcu_read_unlock();
My memory is fuzzy on how this is done elsewhere but this looks like it
needs a capability check to ensure that non-root user's can't trigger
this.
It tends to be problematic if a non-root user can trigger an autoload of
a known-buggy module. With a combination of user namespaces and network
namespaces unprivileged users can cause just about every corner of the
network stack to be exercised.
The same protections apply to this as to the IFLA_INFO_KIND module
autoloading, namely by rtnetlink_rcv_msg ensuring that no messages other
than gets can be done by an unprivileged user:
type = nlh->nlmsg_type;
...
type -= RTM_BASE;
...
kind = type&3;
if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
The lwtunnel_build_state function is only called by the processing of
non-get message types.
Is this sufficient or are you looking for something in addition?
Thanks,
Rob
