lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170515.095228.1483686375235860235.davem@davemloft.net> Date: Mon, 15 May 2017 09:52:28 -0400 (EDT) From: David Miller <davem@...emloft.net> To: gregkh@...uxfoundation.org Cc: ebiederm@...ssion.com, mahesh@...dewar.net, mingo@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, keescook@...omium.org, edumazet@...gle.com, maheshb@...gle.com Subject: Re: [PATCH] kmod: don't load module unless req process has CAP_SYS_MODULE From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Date: Mon, 15 May 2017 08:10:59 +0200 > On Sun, May 14, 2017 at 08:57:34AM -0500, Eric W. Biederman wrote: >> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes: >> >> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c >> index bcb0f610ee42..6b72528a4636 100644 >> --- a/net/core/rtnetlink.c >> +++ b/net/core/rtnetlink.c >> @@ -2595,7 +2595,7 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, >> >> if (!ops) { >> #ifdef CONFIG_MODULES >> - if (kind[0]) { >> + if (kind[0] && capable(CAP_NET_ADMIN)) { >> __rtnl_unlock(); >> request_module("rtnl-link-%s", kind); >> rtnl_lock(); > > I don't object to this if the networking developers don't mind the > change in functionality. They can handle the fallout :) As I've said in another email, I am pretty sure this can break things.
Powered by blists - more mailing lists