[Devel] [PATCH RH9 02/20] ve/kmod/whitelist: Infrustructure for list of modules to autoload from CT

Kirill Tkhai ktkhai at virtuozzo.com
Fri Oct 8 12:50:42 MSK 2021 

From: Konstantin Khorenko <khorenko at virtuozzo.com>

https://jira.sw.ru/browse/PSBM-127787

It's a port of following vz7 commits:
 * 3a4142e      ("ve/kmod: Port autoloading from CT") (partially)
 * 8af13e7c     ("ve/kmod: list of allowed to autoload in CT modules")
                (partially)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 include/linux/kmod.h |    5 +++++
 kernel/kmod.c        |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/include/linux/kmod.h b/include/linux/kmod.h
index 68f69362d427..d9b8dd81f595 100644
--- a/include/linux/kmod.h
+++ b/include/linux/kmod.h
@@ -32,4 +32,9 @@ static inline int request_module_nowait(const char *name, ...) { return -ENOSYS;
 #define try_then_request_module(x, mod...) (x)
 #endif
 
+#ifdef CONFIG_VE
+extern bool module_payload_allowed(const char *module);
+#else
+static inline bool module_payload_allowed(const char *module) { return true; }
+#endif
 #endif /* __LINUX_KMOD_H__ */
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 2f9afc601d20..c8506fd92017 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -151,6 +151,10 @@ int __request_module(bool wait, const char *fmt, ...)
 	    !ve_allow_module_load)
 		return -EPERM;
 
+	/* Check that module functionality is permitted */
+	if (!module_payload_allowed(module_name))
+		return -EPERM;
+
 	ret = security_kernel_module_request(module_name);
 	if (ret)
 		return ret;
@@ -182,3 +186,32 @@ int __request_module(bool wait, const char *fmt, ...)
 	return ret;
 }
 EXPORT_SYMBOL(__request_module);
+
+#ifdef CONFIG_VE
+
+/* ve0 allowed modules */
+static const char * const ve0_allowed_mod[] = {
+};
+
+/*
+ * module_payload_allowed - check if module functionality is allowed
+ *			    to be used inside current virtual environment.
+ *
+ * Returns true if it is allowed or we're in ve0, false otherwise.
+ */
+bool module_payload_allowed(const char *module)
+{
+	int i;
+
+	if (ve_is_super(get_exec_env()))
+		return true;
+
+	/* Look for full module name in ve0_allowed_mod table */
+	for (i = 0; i < ARRAY_SIZE(ve0_allowed_mod); i++) {
+		if (!strcmp(ve0_allowed_mod[i], module))
+			return true;
+	}
+
+	return false;
+}
+#endif /* CONFIG_VE */

More information about the Devel mailing list