Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1164698AbdDXEcU (ORCPT ); Mon, 24 Apr 2017 00:32:20 -0400 Received: from ozlabs.org ([103.22.144.67]:58083 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932465AbdDXEcL (ORCPT ); Mon, 24 Apr 2017 00:32:11 -0400 From: Rusty Russell To: Djalal Harouni , Linux Kernel Mailing List , Andy Lutomirski , Kees Cook , Andrew Morton , serge@hallyn.com, kernel-hardening@lists.openwall.com, linux-security-module@vger.kernel.org Cc: Linux API , Dongsu Park , Casey Schaufler , James Morris , Paul Moore , Tetsuo Handa , Greg Kroah-Hartman , Jonathan Corbet , Jessica Yu , Arnaldo Carvalho de Melo , Mauro Carvalho Chehab , Ingo Molnar , zendyani@gmail.com, Peter Zijlstra , Djalal Harouni Subject: Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction In-Reply-To: <1492640420-27345-3-git-send-email-tixxdz@gmail.com> References: <1492640420-27345-1-git-send-email-tixxdz@gmail.com> <1492640420-27345-3-git-send-email-tixxdz@gmail.com> User-Agent: Notmuch/0.22.1 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Mon, 24 Apr 2017 13:59:48 +0930 Message-ID: <87r30ifmwz.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 484 Lines: 12 Djalal Harouni writes: > When value is (1), task must have CAP_SYS_MODULE to be able to trigger a > module auto-load operation, or CAP_NET_ADMIN for modules with a > 'netdev-%s' alias. Sorry, the magic 'netdev-' prefix is a crawling horror. To do this properly, you need to hand the capability (if any) from the request_module() call. Probably by adding a new request_module_cap and making request_module() call that, then fixing up the callers. Cheers, Rusty.