Re: Updated auth patch for 2.4.12 - kernel/module.c

From: richard offer (offerat_private)
Date: Fri Oct 19 2001 - 08:40:32 PDT

  • Next message: Serge E. Hallyn: "checking superblock"

    * frm offerat_private "10/18/2001 05:28:29 PM -0700" | sed '1,$s/^/* /'
    *
    * 
    * 
    ** frm chrisat_private "10/16/2001 07:34:42 PM -0700" | sed '1,$s/^/* /'
    ** 
    ** 
    **> ===== kernel/module.c 1.16 vs edited =====
    **> @@ -357,8 +357,6 @@
    **>  	unsigned long mod_user_size;
    **>  	struct module_ref *dep;
    **>  
    **> -	if (!capable(CAP_SYS_MODULE))
    **> -		return -EPERM;
    **>  	lock_kernel();
    **>  	if ((namelen = get_mod_name(name_user, &name)) < 0) {
    **>  		error = namelen;
    ** 
    ** am i missing something here?  did you just delete the CAP_SYS_MODULE
    ** check?  this surely isn't right!
    * 
    * Opps, you're right. The intention was to move the capable call nearer the
    * hook, but that is so far into the function that it might be better to move
    * the hook further forward (to limit grottiness), simmilar to how
    * create_module is handled...
    * 
    
    As Lachlan pointed out in private email this means that the hook will now
    be called before the module has been validated. The question is "is this
    important ?". Will the fact that mod->init is out of bounds impact any
    reasonable poliy ?
    
    The name of the module will be available, is that enough on which to base a
    security policy decision ?
    
    richard.
    
    -- 
    -----------------------------------------------------------------------
    Richard Offer                     Technical Lead, Trust Technology, SGI
    "Specialization is for insects"
    ___________________________________________On sabatical Nov 8 -> Nov 30
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 08:41:30 PDT