[Devel] [PATCH rh8 09/28] ve/sysctl/kmod: Introduce tweak to allow indirect modules load from CT

[Konstantin Khorenko]

Introduce "kernel.ve_allow_module_load" sysctl
to allow (1) / deny (0) indorect kernel modules load upon requests
from inside Containers.

Indirect modules "autoload" set enabled by default.

https://jira.sw.ru/browse/PSBM-127787

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 include/linux/sysctl.h |  2 ++
 kernel/kmod.c          | 11 +++++++----
 kernel/sysctl.c        | 16 ++++++++++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 356db6804c6b..4062812efc27 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -196,6 +196,8 @@ struct ctl_path {
 	const char *procname;
 };
 
+extern int ve_allow_module_load;
+
 #ifdef CONFIG_SYSCTL
 
 void proc_sys_poll_notify(struct ctl_table_poll *poll);
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 8ac6bb3f603a..aa6d2073891a 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -25,6 +25,8 @@
 #include <linux/ptrace.h>
 #include <linux/async.h>
 #include <linux/uaccess.h>
+#include <linux/ve.h>
+#include <linux/sysctl.h>
 
 #include <trace/events/module.h>
 
@@ -128,10 +130,6 @@ int __request_module(bool wait, const char *fmt, ...)
 	char module_name[MODULE_NAME_LEN];
 	int ret;
 
-	/* Don't allow request_module() inside VE. */
-	if (!ve_is_super(get_exec_env()))
-		return -EPERM;
-
 	/*
 	 * We don't allow synchronous module loading from async.  Module
 	 * init may invoke async_synchronize_full() which will end up
@@ -149,6 +147,11 @@ int __request_module(bool wait, const char *fmt, ...)
 	if (ret >= MODULE_NAME_LEN)
 		return -ENAMETOOLONG;
 
+	/* Check that autoload is not prohibited using /proc interface */
+	if (!ve_is_super(get_exec_env()) &&
+	    !ve_allow_module_load)
+		return -EPERM;
+
 	ret = security_kernel_module_request(module_name);
 	if (ret)
 		return ret;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 63401eda6dd5..06fe50ae2575 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -117,12 +117,17 @@ extern unsigned int sysctl_nr_open_min, sysctl_nr_open_max;
 extern int sysctl_nr_trim_pages;
 #endif
 
+int ve_allow_module_load = 1;
+EXPORT_SYMBOL(ve_allow_module_load);
+
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
 static int sixty = 60;
 #endif
 
 static int __maybe_unused neg_one = -1;
+static int __maybe_unused zero = 0;
+static int __maybe_unused one = 1;
 static int __maybe_unused two = 2;
 static int __maybe_unused four = 4;
 static unsigned long zero_ul;
@@ -899,6 +904,17 @@ static struct ctl_table kern_table[] = {
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= &two,
 	},
+#endif
+#ifdef CONFIG_VE
+        {
+		.procname       = "ve_allow_module_load",
+		.data           = &ve_allow_module_load,
+		.maxlen         = sizeof(int),
+		.mode           = 0644,
+		.proc_handler   = &proc_dointvec_minmax,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
 #endif
 	{
 		.procname	= "ngroups_max",
-- 
2.28.0