Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/kern When loading a kernel, test if it's already loaded ...



details:   https://anonhg.NetBSD.org/src/rev/1a2cd5435395
branches:  trunk
changeset: 349389:1a2cd5435395
user:      roy <roy%NetBSD.org@localhost>
date:      Fri Dec 09 13:06:41 2016 +0000

description:
When loading a kernel, test if it's already loaded before authorizing.
This allows us to return EEXIST instead of EPERM for higher secure levels.

My use case was to stop npfctl complaining that it could not load bpfjit
on ERLITE when it was compiled into the kernel.
It then went on to complain that NPF performance would be de-graded,
but this is clearly not the case.

diffstat:

 sys/kern/kern_module.c |  25 ++++++++++++++++++-------
 1 files changed, 18 insertions(+), 7 deletions(-)

diffs (55 lines):

diff -r 44c53d636898 -r 1a2cd5435395 sys/kern/kern_module.c
--- a/sys/kern/kern_module.c    Fri Dec 09 13:06:02 2016 +0000
+++ b/sys/kern/kern_module.c    Fri Dec 09 13:06:41 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_module.c,v 1.117 2016/08/13 12:05:49 christos Exp $       */
+/*     $NetBSD: kern_module.c,v 1.118 2016/12/09 13:06:41 roy Exp $    */
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_module.c,v 1.117 2016/08/13 12:05:49 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_module.c,v 1.118 2016/12/09 13:06:41 roy Exp $");
 
 #define _MODULE_INTERNAL
 
@@ -570,20 +570,31 @@
 module_load(const char *filename, int flags, prop_dictionary_t props,
            modclass_t modclass)
 {
+       module_t *mod;
        int error;
 
+       /* Test if we already have the module loaded before
+        * authorizing so we have the opportunity to return EEXIST. */
+       kernconfig_lock();
+       mod = module_lookup(filename);
+       if (mod != NULL) {
+               module_print("%s module `%s' already loaded",
+                   "requested", filename);
+               error = EEXIST;
+               goto out;
+       }
+
        /* Authorize. */
        error = kauth_authorize_system(kauth_cred_get(), KAUTH_SYSTEM_MODULE,
            0, (void *)(uintptr_t)MODCTL_LOAD, NULL, NULL);
-       if (error != 0) {
-               return error;
-       }
+       if (error != 0)
+               goto out;
 
-       kernconfig_lock();
        error = module_do_load(filename, false, flags, props, NULL, modclass,
            false);
+
+out:
        kernconfig_unlock();
-
        return error;
 }
 



Home | Main Index | Thread Index | Old Index