[Devel] [PATCH] kmod: list of allowed to autoload in CT modules
Dmitry Safonov
dsafonov at odin.com
Mon Dec 14 02:43:52 PST 2015
On 12/11/2015 07:19 PM, Kirill Tkhai wrote:
> On 11.12.2015 16:18, Dmitry Safonov wrote:
>> Now modules that are allowed to autoload in CT are inside ve0_allowed_mod.
>> Added binfmt_misc to this list.
>> Moved module_payload_allowed function outside CONFIG_VE_IPTABLES, so it
>> will compile with config disabled.
>> Renamed ve0_am to ve0_ipt_am for better description.
>> Old logic saved as-is in module_payload_iptable_allowed, which now
>> returns int to distinguish if module name equals some in ve0_ipt_am[],
>> but module isn't allowed to load.
>> Fix misspelled enviroment -> environment in comment.
>>
>> Signed-off-by: Dmitry Safonov <dsafonov at odin.com>
> Please, see inline comments below.
>
>> ---
>> kernel/kmod.c | 70 ++++++++++++++++++++++++++++++++++++++++++++---------------
>> 1 file changed, 53 insertions(+), 17 deletions(-)
>>
>> diff --git a/kernel/kmod.c b/kernel/kmod.c
>> index d0cdf36..369ee64 100644
>> --- a/kernel/kmod.c
>> +++ b/kernel/kmod.c
>> @@ -199,11 +199,11 @@ static int ___request_module(bool wait, bool blacklist, char *module_name)
>>
>> #ifdef CONFIG_VE_IPTABLES
>>
>> -/* ve0 allowed modules */
>> +/* ve0 allowed iptables modules */
>> static struct {
>> const char *name;
>> u64 perm;
>> -} ve0_am[] = {
>> +} ve0_ipt_am[] = {
>> { "ip_tables", VE_IP_IPTABLES },
>> { "ip6_tables", VE_IP_IPTABLES6 },
>> { "iptable_filter", VE_IP_FILTER },
>> @@ -318,7 +318,7 @@ static bool nft_expr_allowed(const char *name)
>> /*
>> * We are interested in modules like nft-expr-xxx.
>> * Expressions like nft-expr-xxx-yyy currently are
>> - * handled in ve0_am table. So expr does not cointain
>> + * handled in ve0_ipt_am table. So expr does not cointain
>> * minus
>> */
>> if (!strchr(name, '-'))
>> @@ -328,23 +328,23 @@ static bool nft_expr_allowed(const char *name)
>> }
>>
>> /*
>> - * module_payload_allowed - check if module functionality is allowed
>> - * to be used inside current virtual enviroment.
>> + * module_payload_iptable_allowed - check if iptables functionality is allowed
>> + * to be used inside current virtual environment.
>> *
>> - * Returns true if it is allowed or we're in ve0, false otherwise.
>> + * Returns:
>> + * 0 if iptable module is disallowed to load
>> + * 1 if it is allowed or we're in ve0
>> + * -1 if module isn't iptables module
> Do we really need these 3 return values? Can't we simple return "true" or "false" here?
I suppose yes: if iptables module is disallowed to probe for CT in it's
cgroup, it will return 0 here, regardless of content in newly introduced
ve0_allowed_mod.
>
>> */
>> -bool module_payload_allowed(const char *module)
>> +static inline int module_payload_iptable_allowed(const char *module)
>> {
>> u64 permitted = get_exec_env()->ipt_mask;
>> int i;
>>
>> - if (ve_is_super(get_exec_env()))
>> - return true;
>> -
>> - /* Look for full module name in ve0_am table */
>> - for (i = 0; i < ARRAY_SIZE(ve0_am); i++) {
>> - if (!strcmp(ve0_am[i].name, module))
>> - return mask_ipt_allow(permitted, ve0_am[i].perm);
>> + /* Look for full module name in ve0_ipt_am table */
>> + for (i = 0; i < ARRAY_SIZE(ve0_ipt_am); i++) {
>> + if (!strcmp(ve0_ipt_am[i].name, module))
>> + return mask_ipt_allow(permitted, ve0_ipt_am[i].perm);
>> }
>>
>> /* The rest of xt_* modules is allowed in both ipv4 and ipv6 modes */
>> @@ -362,20 +362,56 @@ bool module_payload_allowed(const char *module)
>>
>> /* The rest of arpt_* modules */
>> if (!strncmp("arpt_", module, 5))
>> - return true;
>> + return 1;
>>
>> /* The rest of ebt_* modules */
>> if (!strncmp("ebt_", module, 4))
>> - return true;
>> + return 1;
>>
>> /* The rest of nft- modules */
>> if (!strncmp("nft-expr-", module, 9))
>> return nft_expr_allowed(module + 9);
>>
>> - return false;
>> + return -1;
>> }
>> +
>> +#else /* CONFIG_VE_IPTABLES */
>> +
>> +#define module_payload_iptable_allowed(module) -1
>> +
>> #endif /* CONFIG_VE_IPTABLES */
>>
>> +/* ve0 allowed modules */
>> +static const char * const ve0_allowed_mod[] = {
>> + "binfmt_misc"
>> +};
>> +
>> +/*
>> + * module_payload_allowed - check if module functionality is allowed
>> + * to be used inside current virtual environment.
>> + *
>> + * Returns true if it is allowed or we're in ve0, false otherwise.
>> + */
>> +bool module_payload_allowed(const char *module)
>> +{
>> + int i;
>> + int ret;
>> +
>> + if (ve_is_super(get_exec_env()))
>> + return true;
>> +
>> + ret = module_payload_iptable_allowed(module);
>> + if (ret > 0)
>> + return !!ret;
> Can't we simple return "true" here?
>
>> +
>> + for (i = 0; i < ARRAY_SIZE(ve0_allowed_mod); i++) {
>> + if (!strcmp(ve0_allowed_mod[i], module))
>> + return true;
>> + }
>> +
>> + return false;
>> +}
>> +
>> int __request_module(bool wait, const char *fmt, ...)
>> {
>> char module_name[MODULE_NAME_LEN];
>>
> Thanks,
> Kirill
--
Regards,
Dmitry Safonov
More information about the Devel
mailing list