From: Kirill Tkhai <ktk...@parallels.com> Patchset description:
Port autoloading of netfilter modules functuonality https://jira.sw.ru/browse/PSBM-28910 Signed-off-by: Kirill Tkhai <ktk...@parallels.com> Kirill Tkhai (4): kmod: Move check of VE permitions from __call_usermodehelper_exec() to upper functions kmod: Port autoloading from CT netfilter: Add autoloading of sockopt modules netfilter: Check for permittions while looking for target and match (cherry picked from commit 6abadc4355f7f7eb65c87940af47c0c2f0ebe472) VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> --- net/netfilter/x_tables.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 596cdd2cc77b..9ff9d4b83d0f 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -170,6 +170,29 @@ xt_unregister_matches(struct xt_match *match, unsigned int n) } EXPORT_SYMBOL(xt_unregister_matches); +/* + * Convert xt_name to module name and check for it's allowed. + * + * xt_name is a module name without prefix. + */ +static bool xt_name_allowed(u8 af, const char *xt_name) +{ + char module_name[MODULE_NAME_LEN] = {'\0'}; + const char *prefix = xt_prefix[af]; + int len = strlen(prefix) + strlen("t_"); + + if (len + strnlen(xt_name, MODULE_NAME_LEN) >= MODULE_NAME_LEN) + return false; + + /* Fallback targets (ipt_standard_target etc) */ + if (strcmp(xt_name, XT_STANDARD_TARGET) == 0 || + strcmp(xt_name, XT_ERROR_TARGET) == 0) + return true; + + sprintf(module_name, "%st_%s", prefix, xt_name); + + return module_payload_allowed(module_name); +} /* * These are weird, but module loading must not be done with mutex @@ -186,6 +209,9 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision) if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN) return ERR_PTR(-EINVAL); + if (!xt_name_allowed(af, name)) + return ERR_PTR(err); + mutex_lock(&xt[af].mutex); list_for_each_entry(m, &xt[af].match, list) { if (strcmp(m->name, name) == 0) { @@ -235,6 +261,9 @@ struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN) return ERR_PTR(-EINVAL); + if (!xt_name_allowed(af, name)) + return ERR_PTR(err); + mutex_lock(&xt[af].mutex); list_for_each_entry(t, &xt[af].target, list) { if (strcmp(t->name, name) == 0) { -- 2.28.0 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel