| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Jul 2022 23:24:16 -0300
From: Mauricio Faria de Oliveira <mfo@...onical.com>
To: linux-kernel@...r.kernel.org, linux-modules@...r.kernel.org,
linux-kbuild@...r.kernel.org, linux-fsdevel@...r.kernel.org
Cc: Masahiro Yamada <masahiroy@...nel.org>,
Michal Marek <michal.lkml@...kovi.net>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Kees Cook <keescook@...omium.org>,
Iurii Zaikin <yzaikin@...gle.com>
Subject: [RFC PATCH 6/6] sysctl: introduce /proc/sys/kernel/modprobe_sysctl_alias
The goal of the earlier patches is to let sysctl userspace tools
load the kernel module with a sysctl entry that is not available
yet in /proc/sys/ when the tool runs (so it can become available).
Let's expose this file for userspace for two reasons:
1) Allow such tools to identify that the running kernel has the
code which produces sysctl module aliases, so they could run
'modprobe sysctl:<entry>' only when it may actually help.
2) Allow an administrator to hint such tools not to do that, if
that is desired for some reason (e.g., rather have the tools
fail if something is misconfigured in a critical deployment).
Also add a module parameter for that (proc.modprobe_sysctl_alias),
for another method that doesn't depend on sysctl tools to be set
(that wouldn't fail them to try and set it if it's not there yet).
Signed-off-by: Mauricio Faria de Oliveira <mfo@...onical.com>
---
fs/proc/proc_sysctl.c | 8 ++++++++
include/linux/module.h | 1 +
kernel/sysctl.c | 9 +++++++++
3 files changed, 18 insertions(+)
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index ebbf8702387e..1e63819fcda8 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -33,6 +33,14 @@ static void check_struct_sysctl_device_id(void)
BUILD_BUG_ON(offsetof(struct sysctl_device_id, procname)
!= offsetof(struct ctl_table, procname));
}
+
+/*
+ * Hint sysctl userspace tools whether or not to run modprobe with sysctl alias
+ * ('modprobe sysctl:entry') if they cannot find the file '/proc/sys/.../entry'
+ */
+int modprobe_sysctl_alias = 1;
+module_param(modprobe_sysctl_alias, int, 0644);
+
#else
static void check_struct_sysctl_device_id(void) {}
#endif
diff --git a/include/linux/module.h b/include/linux/module.h
index 3010f687df19..5f565491c596 100644
--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -304,6 +304,7 @@ struct notifier_block;
#ifdef CONFIG_MODULES
extern int modules_disabled; /* for sysctl */
+extern int modprobe_sysctl_alias; /* for proc sysctl */
/* Get/put a kernel symbol (calls must be symmetric) */
void *__symbol_get(const char *symbol);
void *__symbol_get_gpl(const char *symbol);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 15073621cfa8..b396cfcb55fc 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1763,6 +1763,15 @@ static struct ctl_table kern_table[] = {
.mode = 0644,
.proc_handler = proc_dostring,
},
+#ifdef CONFIG_PROC_SYSCTL
+ {
+ .procname = "modprobe_sysctl_alias",
+ .data = &modprobe_sysctl_alias,
+ .maxlen = sizeof(modprobe_sysctl_alias),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+#endif
{
.procname = "modules_disabled",
.data = &modules_disabled,
--
2.25.1
Powered by blists - more mailing lists