[Devel] [PATCH RH9 01/20] ve/sysctl/kmod: Introduce tweak to allow indirect modules load from CT

[Kirill Tkhai]

From: Konstantin Khorenko <khorenko at virtuozzo.com>

Introduce "kernel.ve_allow_module_load" sysctl
to allow (1) / deny (0) indorect kernel modules load upon requests
from inside Containers.

Indirect modules "autoload" set enabled by default.

https://jira.sw.ru/browse/PSBM-127787

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 include/linux/sysctl.h |    2 ++
 kernel/kmod.c          |   11 +++++++----
 kernel/sysctl.c        |   16 ++++++++++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 3c59f962f3f6..83ac52e15c73 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -187,6 +187,8 @@ struct ctl_path {
 
 extern int trusted_exec;
 
+extern int ve_allow_module_load;
+
 #ifdef CONFIG_SYSCTL
 
 void proc_sys_poll_notify(struct ctl_table_poll *poll);
diff --git a/kernel/kmod.c b/kernel/kmod.c
index a5959c0ecdc2..2f9afc601d20 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -25,6 +25,8 @@
 #include <linux/ptrace.h>
 #include <linux/async.h>
 #include <linux/uaccess.h>
+#include <linux/ve.h>
+#include <linux/sysctl.h>
 
 #include <trace/events/module.h>
 
@@ -127,10 +129,6 @@ int __request_module(bool wait, const char *fmt, ...)
 	char module_name[MODULE_NAME_LEN];
 	int ret;
 
-	/* Don't allow request_module() inside VE. */
-	if (!ve_is_super(get_exec_env()))
-		return -EPERM;
-
 	/*
 	 * We don't allow synchronous module loading from async.  Module
 	 * init may invoke async_synchronize_full() which will end up
@@ -148,6 +146,11 @@ int __request_module(bool wait, const char *fmt, ...)
 	if (ret >= MODULE_NAME_LEN)
 		return -ENAMETOOLONG;
 
+	/* Check that autoload is not prohibited using /proc interface */
+	if (!ve_is_super(get_exec_env()) &&
+	    !ve_allow_module_load)
+		return -EPERM;
+
 	ret = security_kernel_module_request(module_name);
 	if (ret)
 		return ret;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 49656fd84639..53090d656dec 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -117,12 +117,17 @@ static int __init set_trusted_exec(char *str)
 }
 __setup("trusted_exec", set_trusted_exec);
 
+int ve_allow_module_load = 1;
+EXPORT_SYMBOL(ve_allow_module_load);
+
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
 static int sixty = 60;
 #endif
 
 static int __maybe_unused neg_one = -1;
+static int __maybe_unused zero = 0;
+static int __maybe_unused one = 1;
 static int __maybe_unused two = 2;
 static int __maybe_unused four = 4;
 static unsigned long zero_ul;
@@ -2362,6 +2367,17 @@ static struct ctl_table kern_table[] = {
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= &two,
 	},
+#endif
+#ifdef CONFIG_VE
+        {
+		.procname       = "ve_allow_module_load",
+		.data           = &ve_allow_module_load,
+		.maxlen         = sizeof(int),
+		.mode           = 0644,
+		.proc_handler   = &proc_dointvec_minmax,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
 #endif
 	{
 		.procname	= "ngroups_max",