CVS commit: src/sys/kern

Fri, 09 Dec 2016 05:08:18 -0800 

Module Name:    src
Committed By:   roy
Date:           Fri Dec  9 13:06:41 UTC 2016

Modified Files:
        src/sys/kern: kern_module.c

Log Message:
When loading a kernel, test if it's already loaded before authorizing.
This allows us to return EEXIST instead of EPERM for higher secure levels.

My use case was to stop npfctl complaining that it could not load bpfjit
on ERLITE when it was compiled into the kernel.
It then went on to complain that NPF performance would be de-graded,
but this is clearly not the case.


To generate a diff of this commit:
cvs rdiff -u -r1.117 -r1.118 src/sys/kern/kern_module.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/kern_module.c
diff -u src/sys/kern/kern_module.c:1.117 src/sys/kern/kern_module.c:1.118
--- src/sys/kern/kern_module.c:1.117	Sat Aug 13 12:05:49 2016
+++ src/sys/kern/kern_module.c	Fri Dec  9 13:06:41 2016
@@ -1,4 +1,4 @@
-/*	$NetBSD: kern_module.c,v 1.117 2016/08/13 12:05:49 christos Exp $	*/
+/*	$NetBSD: kern_module.c,v 1.118 2016/12/09 13:06:41 roy Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_module.c,v 1.117 2016/08/13 12:05:49 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_module.c,v 1.118 2016/12/09 13:06:41 roy Exp $");
 
 #define _MODULE_INTERNAL
 
@@ -570,20 +570,31 @@ int
 module_load(const char *filename, int flags, prop_dictionary_t props,
 	    modclass_t modclass)
 {
+	module_t *mod;
 	int error;
 
+	/* Test if we already have the module loaded before
+	 * authorizing so we have the opportunity to return EEXIST. */
+	kernconfig_lock();
+	mod = module_lookup(filename);
+	if (mod != NULL) {
+		module_print("%s module `%s' already loaded",
+		    "requested", filename);
+		error = EEXIST;
+		goto out;
+	}
+
 	/* Authorize. */
 	error = kauth_authorize_system(kauth_cred_get(), KAUTH_SYSTEM_MODULE,
 	    0, (void *)(uintptr_t)MODCTL_LOAD, NULL, NULL);
-	if (error != 0) {
-		return error;
-	}
+	if (error != 0)
+		goto out;
 
-	kernconfig_lock();
 	error = module_do_load(filename, false, flags, props, NULL, modclass,
 	    false);
-	kernconfig_unlock();
 
+out:
+	kernconfig_unlock();
 	return error;
 }

Reply via email to