mirror of
https://github.com/freebsd/freebsd-src
synced 2024-11-05 18:22:52 +00:00
Move the securelevel check before loading KLD's into linker_load_file(),
instead of requiring every caller of linker_load_file() to perform the check itself. This avoids netgraph loading KLD's when securelevel > 0, not to mention any future code that may call linker_load_file(). Reviewed by: dfr
This commit is contained in:
Archie Cobbs
parent
849c64f5ff
commit
6c66bbed1a
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=62261
3 changed files with 10 additions and 12 deletions
|
|
@ -301,6 +301,10 @@ linker_load_file(const char* filename, linker_file_t* result)
|
|||
linker_file_t lf;
|
||||
int foundfile, error = 0;
|
||||
|
||||
/* Refuse to load modules if securelevel raised */
|
||||
if (securelevel > 0)
|
||||
return EPERM;
|
||||
|
||||
lf = linker_find_file_by_name(filename);
|
||||
if (lf) {
|
||||
KLD_DPF(FILE, ("linker_load_file: file %s is already loaded, incrementing refs\n", filename));
|
||||
|
|
@ -425,6 +429,10 @@ linker_file_unload(linker_file_t file)
|
|||
int error = 0;
|
||||
int i;
|
||||
|
||||
/* Refuse to unload modules if securelevel raised */
|
||||
if (securelevel > 0)
|
||||
return EPERM;
|
||||
|
||||
KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs));
|
||||
lockmgr(&lock, LK_EXCLUSIVE, 0, curproc);
|
||||
if (file->refs == 1) {
|
||||
|
|
@ -678,7 +686,7 @@ kldload(struct proc* p, struct kldload_args* uap)
|
|||
|
||||
p->p_retval[0] = -1;
|
||||
|
||||
if (securelevel > 0)
|
||||
if (securelevel > 0) /* redundant, but that's OK */
|
||||
return EPERM;
|
||||
|
||||
if ((error = suser(p)) != 0)
|
||||
|
|
@ -721,7 +729,7 @@ kldunload(struct proc* p, struct kldunload_args* uap)
|
|||
linker_file_t lf;
|
||||
int error = 0;
|
||||
|
||||
if (securelevel > 0)
|
||||
if (securelevel > 0) /* redundant, but that's OK */
|
||||
return EPERM;
|
||||
|
||||
if ((error = suser(p)) != 0)
|
||||
|
|
|
|||
|
|
@ -225,11 +225,6 @@ mount(p, uap)
|
|||
if (vfsp == NULL) {
|
||||
linker_file_t lf;
|
||||
|
||||
/* Refuse to load modules if securelevel raised */
|
||||
if (securelevel > 0) {
|
||||
vput(vp);
|
||||
return EPERM;
|
||||
}
|
||||
/* Only load modules for root (very important!) */
|
||||
if ((error = suser(p)) != 0) {
|
||||
vput(vp);
|
||||
|
|
|
|||
|
|
@ -225,11 +225,6 @@ mount(p, uap)
|
|||
if (vfsp == NULL) {
|
||||
linker_file_t lf;
|
||||
|
||||
/* Refuse to load modules if securelevel raised */
|
||||
if (securelevel > 0) {
|
||||
vput(vp);
|
||||
return EPERM;
|
||||
}
|
||||
/* Only load modules for root (very important!) */
|
||||
if ((error = suser(p)) != 0) {
|
||||
vput(vp);
|
||||
|
|
|
|||
Loading…
Reference in a new issue