[Devel] [PATCH rh8 11/28] ve/kmod/whitelist: Infrustructure for list of modules to autoload from CT

Konstantin Khorenko khorenko at virtuozzo.com
Tue Apr 13 11:25:21 MSK 2021 

https://jira.sw.ru/browse/PSBM-127787

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

It's a port of following vz7 commits:
 * 3a4142e      ("ve/kmod: Port autoloading from CT") (partially)
 * 8af13e7c     ("ve/kmod: list of allowed to autoload in CT modules")
		(partially)
---
 include/linux/kmod.h |  5 +++++
 kernel/kmod.c        | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/include/linux/kmod.h b/include/linux/kmod.h
index 40c89ad4bea6..0e823d1ae456 100644
--- a/include/linux/kmod.h
+++ b/include/linux/kmod.h
@@ -45,4 +45,9 @@ static inline int request_module_nowait(const char *name, ...) { return -ENOSYS;
 #define try_then_request_module(x, mod...) (x)
 #endif
 
+#ifdef CONFIG_VE
+extern bool module_payload_allowed(const char *module);
+#else
+static inline bool module_payload_allowed(const char *module) { return true; }
+#endif
 #endif /* __LINUX_KMOD_H__ */
diff --git a/kernel/kmod.c b/kernel/kmod.c
index ee15b27c3198..7d343ec8d145 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -157,6 +157,10 @@ int __request_module(bool wait, const char *fmt, ...)
 	    !ve_allow_module_load)
 		return -EPERM;
 
+	/* Check that module functionality is permitted */
+	if (!module_payload_allowed(module_name))
+		return -EPERM;
+
 	/*
 	 * This function may be called from ve0, where standard behaviour
 	 * is not to use blacklist. So, we request blacklist reading only
@@ -195,3 +199,32 @@ int __request_module(bool wait, const char *fmt, ...)
 	return ret;
 }
 EXPORT_SYMBOL(__request_module);
+
+#ifdef CONFIG_VE
+
+/* ve0 allowed modules */
+static const char * const ve0_allowed_mod[] = {
+};
+
+/*
+ * module_payload_allowed - check if module functionality is allowed
+ *			    to be used inside current virtual environment.
+ *
+ * Returns true if it is allowed or we're in ve0, false otherwise.
+ */
+bool module_payload_allowed(const char *module)
+{
+	int i;
+
+	if (ve_is_super(get_exec_env()))
+		return true;
+
+	/* Look for full module name in ve0_allowed_mod table */
+	for (i = 0; i < ARRAY_SIZE(ve0_allowed_mod); i++) {
+		if (!strcmp(ve0_allowed_mod[i], module))
+			return true;
+	}
+
+	return false;
+}
+#endif /* CONFIG_VE */
-- 
2.28.0

More information about the Devel mailing list