rpms/kernel/F-12 linux-2.6-selinux-module-load-perms.patch, NONE, 1.1 kernel.spec, 1.1809, 1.1810

Eric Paris eparis at fedoraproject.org
Wed Sep 16 19:58:23 UTC 2009 

Author: eparis

Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14436

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-selinux-module-load-perms.patch 
Log Message:
* Wed Sep 16 2009 Eric Paris <eparis at redhat.com>
- Do not check CAP_SYS_MODULE when networking tres to autoload a module


linux-2.6-selinux-module-load-perms.patch:
 drivers/staging/comedi/comedi_fops.c         |    8 ++++----
 include/linux/security.h                     |   10 ++++++++++
 kernel/kmod.c                                |    4 ++++
 net/core/dev.c                               |    2 +-
 net/ipv4/tcp_cong.c                          |    4 ++--
 security/capability.c                        |    6 ++++++
 security/security.c                          |    5 +++++
 security/selinux/hooks.c                     |    6 ++++++
 security/selinux/include/av_perm_to_string.h |    1 +
 security/selinux/include/av_permissions.h    |    1 +
 10 files changed, 40 insertions(+), 7 deletions(-)

--- NEW FILE linux-2.6-selinux-module-load-perms.patch ---
diff -up linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c.pre.module linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c
--- linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c.pre.module	2009-09-14 14:02:56.726491957 -0400
+++ linux-2.6.31.x86_64/drivers/staging/comedi/comedi_fops.c	2009-09-14 14:03:30.035571987 -0400
@@ -1752,12 +1752,12 @@ static int comedi_open(struct inode *ino
 	mutex_lock(&dev->mutex);
 	if (dev->attached)
 		goto ok;
-	if (!capable(CAP_SYS_MODULE) && dev->in_request_module) {
+	if (!capable(CAP_NET_ADMIN) && dev->in_request_module) {
 		DPRINTK("in request module\n");
 		mutex_unlock(&dev->mutex);
 		return -ENODEV;
 	}
-	if (capable(CAP_SYS_MODULE) && dev->in_request_module)
+	if (capable(CAP_NET_ADMIN) && dev->in_request_module)
 		goto ok;
 
 	dev->in_request_module = 1;
@@ -1770,8 +1770,8 @@ static int comedi_open(struct inode *ino
 
 	dev->in_request_module = 0;
 
-	if (!dev->attached && !capable(CAP_SYS_MODULE)) {
-		DPRINTK("not attached and not CAP_SYS_MODULE\n");
+	if (!dev->attached && !capable(CAP_NET_ADMIN)) {
+		DPRINTK("not attached and not CAP_NET_ADMIN\n");
 		mutex_unlock(&dev->mutex);
 		return -ENODEV;
 	}
diff -up linux-2.6.31.x86_64/include/linux/security.h.pre.module linux-2.6.31.x86_64/include/linux/security.h
--- linux-2.6.31.x86_64/include/linux/security.h.pre.module	2009-09-14 14:01:55.018199730 -0400
+++ linux-2.6.31.x86_64/include/linux/security.h	2009-09-14 14:03:35.710454710 -0400
@@ -678,6 +678,9 @@ static inline void security_free_mnt_opt
  *	@inode points to the inode to use as a reference.
  *	The current task must be the one that nominated @inode.
  *	Return 0 if successful.
+ * @kernel_module_request:
+ *	Ability to trigger the kernel to automatically upcall to userspace for
+ *	userspace to load a kernel module with the given name.
  * @task_setuid:
  *	Check permission before setting one or more of the user identity
  *	attributes of the current process.  The @flags parameter indicates
@@ -1489,6 +1492,7 @@ struct security_operations {
 	void (*cred_commit)(struct cred *new, const struct cred *old);
 	int (*kernel_act_as)(struct cred *new, u32 secid);
 	int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
+	int (*kernel_module_request)(void);
 	int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
 	int (*task_fix_setuid) (struct cred *new, const struct cred *old,
 				int flags);
@@ -1741,6 +1745,7 @@ int security_prepare_creds(struct cred *
 void security_commit_creds(struct cred *new, const struct cred *old);
 int security_kernel_act_as(struct cred *new, u32 secid);
 int security_kernel_create_files_as(struct cred *new, struct inode *inode);
+int security_kernel_module_request(void);
 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
 int security_task_fix_setuid(struct cred *new, const struct cred *old,
 			     int flags);
@@ -2292,6 +2297,11 @@ static inline int security_kernel_create
 	return 0;
 }
 
+static inline int security_kernel_module_request(void)
+{
+	return 0;
+}
+
 static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2,
 				       int flags)
 {
diff -up linux-2.6.31.x86_64/kernel/kmod.c.pre.module linux-2.6.31.x86_64/kernel/kmod.c
--- linux-2.6.31.x86_64/kernel/kmod.c.pre.module	2009-09-14 14:02:04.516942256 -0400
+++ linux-2.6.31.x86_64/kernel/kmod.c	2009-09-14 14:03:35.716407772 -0400
@@ -78,6 +78,10 @@ int __request_module(bool wait, const ch
 #define MAX_KMOD_CONCURRENT 50	/* Completely arbitrary value - KAO */
 	static int kmod_loop_msg;
 
+	ret = security_kernel_module_request();
+	if (ret)
+		return ret;
+
 	va_start(args, fmt);
 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
 	va_end(args);
diff -up linux-2.6.31.x86_64/net/core/dev.c.pre.module linux-2.6.31.x86_64/net/core/dev.c
--- linux-2.6.31.x86_64/net/core/dev.c.pre.module	2009-09-14 14:03:03.826314426 -0400
+++ linux-2.6.31.x86_64/net/core/dev.c	2009-09-14 14:03:30.044573421 -0400
@@ -1031,7 +1031,7 @@ void dev_load(struct net *net, const cha
 	dev = __dev_get_by_name(net, name);
 	read_unlock(&dev_base_lock);
 
-	if (!dev && capable(CAP_SYS_MODULE))
+	if (!dev && capable(CAP_NET_ADMIN))
 		request_module("%s", name);
 }
 
diff -up linux-2.6.31.x86_64/net/ipv4/tcp_cong.c.pre.module linux-2.6.31.x86_64/net/ipv4/tcp_cong.c
--- linux-2.6.31.x86_64/net/ipv4/tcp_cong.c.pre.module	2009-09-14 14:03:09.495142463 -0400
+++ linux-2.6.31.x86_64/net/ipv4/tcp_cong.c	2009-09-14 14:03:30.054565116 -0400
@@ -116,7 +116,7 @@ int tcp_set_default_congestion_control(c
 	spin_lock(&tcp_cong_list_lock);
 	ca = tcp_ca_find(name);
 #ifdef CONFIG_MODULES
-	if (!ca && capable(CAP_SYS_MODULE)) {
+	if (!ca && capable(CAP_NET_ADMIN)) {
 		spin_unlock(&tcp_cong_list_lock);
 
 		request_module("tcp_%s", name);
@@ -246,7 +246,7 @@ int tcp_set_congestion_control(struct so
 
 #ifdef CONFIG_MODULES
 	/* not found attempt to autoload module */
-	if (!ca && capable(CAP_SYS_MODULE)) {
+	if (!ca && capable(CAP_NET_ADMIN)) {
 		rcu_read_unlock();
 		request_module("tcp_%s", name);
 		rcu_read_lock();
diff -up linux-2.6.31.x86_64/security/capability.c.pre.module linux-2.6.31.x86_64/security/capability.c
--- linux-2.6.31.x86_64/security/capability.c.pre.module	2009-09-14 14:02:11.009778206 -0400
+++ linux-2.6.31.x86_64/security/capability.c	2009-09-14 14:03:35.718408863 -0400
@@ -396,6 +396,11 @@ static int cap_kernel_create_files_as(st
 	return 0;
 }
 
+static int cap_kernel_module_request(void)
+{
+	return 0;
+}
+
 static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 {
 	return 0;
@@ -945,6 +950,7 @@ void security_fixup_ops(struct security_
 	set_to_cap_if_null(ops, cred_commit);
 	set_to_cap_if_null(ops, kernel_act_as);
 	set_to_cap_if_null(ops, kernel_create_files_as);
+	set_to_cap_if_null(ops, kernel_module_request);
 	set_to_cap_if_null(ops, task_setuid);
 	set_to_cap_if_null(ops, task_fix_setuid);
 	set_to_cap_if_null(ops, task_setgid);
diff -up linux-2.6.31.x86_64/security/security.c.pre.module linux-2.6.31.x86_64/security/security.c
--- linux-2.6.31.x86_64/security/security.c.pre.module	2009-09-14 14:02:17.341611595 -0400
+++ linux-2.6.31.x86_64/security/security.c	2009-09-14 14:03:35.720408600 -0400
@@ -709,6 +709,11 @@ int security_kernel_create_files_as(stru
 	return security_ops->kernel_create_files_as(new, inode);
 }
 
+int security_kernel_module_request(void)
+{
+	return security_ops->kernel_module_request();
+}
+
 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 {
 	return security_ops->task_setuid(id0, id1, id2, flags);
diff -up linux-2.6.31.x86_64/security/selinux/hooks.c.pre.module linux-2.6.31.x86_64/security/selinux/hooks.c
--- linux-2.6.31.x86_64/security/selinux/hooks.c.pre.module	2009-09-14 14:02:24.072199503 -0400
+++ linux-2.6.31.x86_64/security/selinux/hooks.c	2009-09-14 14:03:39.017312134 -0400
@@ -3292,6 +3292,11 @@ static int selinux_kernel_create_files_a
 	return 0;
 }
 
+static int selinux_kernel_module_request(void)
+{
+	return task_has_system(current, SYSTEM__MODULE_REQUEST);
+}
+
 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
 {
 	return current_has_perm(p, PROCESS__SETPGID);
@@ -5400,6 +5405,7 @@ static struct security_operations selinu
 	.cred_prepare =			selinux_cred_prepare,
 	.kernel_act_as =		selinux_kernel_act_as,
 	.kernel_create_files_as =	selinux_kernel_create_files_as,
+	.kernel_module_request =	selinux_kernel_module_request,
 	.task_setpgid =			selinux_task_setpgid,
 	.task_getpgid =			selinux_task_getpgid,
 	.task_getsid =			selinux_task_getsid,
diff -up linux-2.6.31.x86_64/security/selinux/include/av_permissions.h.pre.module linux-2.6.31.x86_64/security/selinux/include/av_permissions.h
--- linux-2.6.31.x86_64/security/selinux/include/av_permissions.h.pre.module	2009-09-14 14:02:48.685714616 -0400
+++ linux-2.6.31.x86_64/security/selinux/include/av_permissions.h	2009-09-14 14:03:39.022321676 -0400
@@ -508,6 +508,7 @@
 #define SYSTEM__SYSLOG_READ                       0x00000002UL
 #define SYSTEM__SYSLOG_MOD                        0x00000004UL
 #define SYSTEM__SYSLOG_CONSOLE                    0x00000008UL
+#define SYSTEM__MODULE_REQUEST                    0x00000010UL
 #define CAPABILITY__CHOWN                         0x00000001UL
 #define CAPABILITY__DAC_OVERRIDE                  0x00000002UL
 #define CAPABILITY__DAC_READ_SEARCH               0x00000004UL
diff -up linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h.pre.module linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h
--- linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h.pre.module	2009-09-14 14:02:37.563058003 -0400
+++ linux-2.6.31.x86_64/security/selinux/include/av_perm_to_string.h	2009-09-14 14:03:39.019310239 -0400
@@ -107,6 +107,7 @@
    S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
    S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
    S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
+   S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
    S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
    S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
    S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1809
retrieving revision 1.1810
diff -u -p -r1.1809 -r1.1810
--- kernel.spec	16 Sep 2009 19:43:47 -0000	1.1809
+++ kernel.spec	16 Sep 2009 19:58:23 -0000	1.1810
@@ -740,6 +740,7 @@ Patch12010: linux-2.6-dell-laptop-rfkill
 Patch12011: linux-2.6-block-silently-error-unsupported-empty-barriers-too.patch
 Patch12012: linux-2.6-rtc-show-hctosys.patch
 Patch12013: linux-2.6-rfkill-all.patch
+Patch12014: linux-2.6-selinux-module-load-perms.patch
 
 # patches headed for -stable
 
@@ -1388,6 +1389,7 @@ ApplyPatch v4l-dvb-fix-cx25840-firmware-
 # Patches headed upstream
 ApplyPatch linux-2.6-rtc-show-hctosys.patch
 ApplyPatch linux-2.6-rfkill-all.patch
+ApplyPatch linux-2.6-selinux-module-load-perms.patch
 
 # patches headed for -stable
 
@@ -2053,6 +2055,9 @@ fi
 # and build.
 
 %changelog
+* Wed Sep 16 2009 Eric Paris <eparis at redhat.com>
+- Do not check CAP_SYS_MODULE when networking tres to autoload a module
+
 * Wed Sep 16 2009 John W. Linville <linville at redhat.com>
 - Add iwl1000 support patches.

More information about the fedora-extras-commits mailing list