[PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction
Rusty Russell
rusty at rustcorp.com.au
Mon Apr 24 04:29:48 UTC 2017
Djalal Harouni <tixxdz at gmail.com> writes:
> When value is (1), task must have CAP_SYS_MODULE to be able to trigger a
> module auto-load operation, or CAP_NET_ADMIN for modules with a
> 'netdev-%s' alias.
Sorry, the magic 'netdev-' prefix is a crawling horror. To do this
properly, you need to hand the capability (if any) from the
request_module() call. Probably by adding a new request_module_cap and
making request_module() call that, then fixing up the callers.
Cheers,
Rusty.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list