[Devel] [PATCH RHEL7 COMMIT] ve/kmod: list of allowed to autoload in CT modules

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jan 14 05:24:52 PST 2016 

The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.9.20
------>
commit eee36a40dc67a614b32ec98452413b0f10d32eed
Author: Dmitry Safonov <dsafonov at odin.com>
Date:   Thu Jan 14 17:24:52 2016 +0400

    ve/kmod: list of allowed to autoload in CT modules
    
    Since now not only iptables modules are allowed to be loaded
    upon request from inside a Container, the list of modules
    allowed to be autoload from inside a CT are stored in ve0_allowed_mod.
    
    * binfmt_misc added to this list
    * module_payload_allowed function moved outside CONFIG_VE_IPTABLES, so it
    is compiled compile with config disabled
    
    * renamed ve0_am to ve0_ipt_am for better description
    * module_payload_iptable_allowed() now returns -1 in case the module name
    is not in the list of iptables modules
    * fix misspelled enviroment -> environment in comment
    
    https://jira.sw.ru/browse/PSBM-41216
    
    Signed-off-by: Dmitry Safonov <dmsafonov at virtuozzo.com>
    Acked-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 kernel/kmod.c | 70 ++++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 53 insertions(+), 17 deletions(-)

diff --git a/kernel/kmod.c b/kernel/kmod.c
index d0cdf36..b5bf38df 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -199,11 +199,11 @@ static int ___request_module(bool wait, bool blacklist, char *module_name)
 
 #ifdef CONFIG_VE_IPTABLES
 
-/* ve0 allowed modules */
+/* ve0 allowed iptables modules */
 static struct {
 	const char *name;
 	u64 perm;
-} ve0_am[] = {
+} ve0_ipt_am[] = {
 	{ "ip_tables",		VE_IP_IPTABLES	},
 	{ "ip6_tables",		VE_IP_IPTABLES6	},
 	{ "iptable_filter",	VE_IP_FILTER	},
@@ -318,7 +318,7 @@ static bool nft_expr_allowed(const char *name)
 	/*
 	 * We are interested in modules like nft-expr-xxx.
 	 * Expressions like nft-expr-xxx-yyy currently are
-	 * handled in ve0_am table. So expr does not cointain
+	 * handled in ve0_ipt_am table. So expr does not contain
 	 * minus
 	 */
 	if (!strchr(name, '-'))
@@ -328,23 +328,23 @@ static bool nft_expr_allowed(const char *name)
 }
 
 /*
- * module_payload_allowed - check if module functionality is allowed
- * 			    to be used inside current virtual enviroment.
+ * module_payload_iptable_allowed - check if iptables functionality is allowed
+ *			    to be used inside current virtual environment.
  *
- * Returns true if it is allowed or we're in ve0, false otherwise.
+ * Returns:
+ *   0 if iptable module is disallowed to load
+ *   1 if it is allowed or we're in ve0
+ *   -1 if module isn't iptables module
  */
-bool module_payload_allowed(const char *module)
+static inline int module_payload_iptable_allowed(const char *module)
 {
 	u64 permitted = get_exec_env()->ipt_mask;
 	int i;
 
-	if (ve_is_super(get_exec_env()))
-		return true;
-
-	/* Look for full module name in ve0_am table */
-	for (i = 0; i < ARRAY_SIZE(ve0_am); i++) {
-		if (!strcmp(ve0_am[i].name, module))
-			return mask_ipt_allow(permitted, ve0_am[i].perm);
+	/* Look for full module name in ve0_ipt_am table */
+	for (i = 0; i < ARRAY_SIZE(ve0_ipt_am); i++) {
+		if (!strcmp(ve0_ipt_am[i].name, module))
+			return mask_ipt_allow(permitted, ve0_ipt_am[i].perm);
 	}
 
 	/* The rest of xt_* modules is allowed in both ipv4 and ipv6 modes */
@@ -362,20 +362,56 @@ bool module_payload_allowed(const char *module)
 
 	/* The rest of arpt_* modules */
 	if (!strncmp("arpt_", module, 5))
-		return true;
+		return 1;
 
 	/* The rest of ebt_* modules */
 	if (!strncmp("ebt_", module, 4))
-		return true;
+		return 1;
 
 	/* The rest of nft- modules */
 	if (!strncmp("nft-expr-", module, 9))
 		return nft_expr_allowed(module + 9);
 
-	return false;
+	return -1;
 }
+
+#else  /* CONFIG_VE_IPTABLES */
+
+#define module_payload_iptable_allowed(module) -1
+
 #endif /* CONFIG_VE_IPTABLES */
 
+/* ve0 allowed modules */
+static const char * const ve0_allowed_mod[] = {
+	"binfmt_misc"
+};
+
+/*
+ * module_payload_allowed - check if module functionality is allowed
+ *			    to be used inside current virtual environment.
+ *
+ * Returns true if it is allowed or we're in ve0, false otherwise.
+ */
+bool module_payload_allowed(const char *module)
+{
+	int i;
+	int ret;
+
+	if (ve_is_super(get_exec_env()))
+		return true;
+
+	ret = module_payload_iptable_allowed(module);
+	if (ret >= 0)
+		return !!ret;
+
+	for (i = 0; i < ARRAY_SIZE(ve0_allowed_mod); i++) {
+		if (!strcmp(ve0_allowed_mod[i], module))
+			return true;
+	}
+
+	return false;
+}
+
 int __request_module(bool wait, const char *fmt, ...)
 {
 	char module_name[MODULE_NAME_LEN];

More information about the Devel mailing list