OrgACRN
/
acrn-kernel
mirror of https://github.com/projectacrn/acrn-kernel.git
1
0
Fork 0
Code Issues Releases Wiki Activity
acrn-kernel/net/ipv4
History
Eric Paris a8f80e8ff9 Networking: use CAP_NET_ADMIN when deciding to call request_module 
The networking code checks CAP_SYS_MODULE before using request_module() to
try to load a kernel module.  While this seems reasonable it's actually
weakening system security since we have to allow CAP_SYS_MODULE for things
like /sbin/ip and bluetoothd which need to be able to trigger module loads.
CAP_SYS_MODULE actually grants those binaries the ability to directly load
any code into the kernel.  We should instead be protecting modprobe and the
modules on disk, rather than granting random programs the ability to load code
directly into the kernel.  Instead we are going to gate those networking checks
on CAP_NET_ADMIN which still limits them to root but which does not grant
those processes the ability to load arbitrary code into the kernel.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: James Morris <jmorris@namei.org>
 		2009-08-14 11:18:34 +10:00
..
netfilter netfilter: tcp conntrack: fix unacknowledged data detection with NAT 2009-06-29 14:07:56 +02:00
Kconfig ipv4: update ARPD help text 2009-06-13 23:36:32 -07:00
Makefile
af_inet.c ipv4: remove ip_mc_drop_socket() declaration from af_inet.c. 2009-06-03 21:43:26 -07:00
ah4.c
arp.c ipv4: ARP neigh procfs buffer overflow 2009-07-30 13:27:29 -07:00
cipso_ipv4.c
datagram.c
devinet.c net: Fix devinet_sysctl_forward 2009-05-18 22:15:58 -07:00
esp4.c
fib_frontend.c ipv4: cleanup: remove unnecessary include. 2009-05-18 15:16:38 -07:00
fib_hash.c ipv4: cleanup - remove two unused parameters from fib_semantic_match(). 2009-05-18 15:16:37 -07:00
fib_lookup.h ipv4: cleanup - remove two unused parameters from fib_semantic_match(). 2009-05-18 15:16:37 -07:00
fib_rules.c net: Remove unused parameter from fill method in fib_rules_ops. 2009-05-20 17:26:23 -07:00
fib_semantics.c ipv4: cleanup - remove two unused parameters from fib_semantic_match(). 2009-05-18 15:16:37 -07:00
fib_trie.c ipv4: Fix fib_trie rebalancing, part 4 (root thresholds) 2009-07-08 10:46:45 -07:00
icmp.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
igmp.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
inet_connection_sock.c
inet_diag.c net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
inet_fragment.c
inet_hashtables.c
inet_lro.c
inet_timewait_sock.c Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/vegard/kmemcheck 2009-06-16 13:09:51 -07:00
inetpeer.c
ip_forward.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
ip_fragment.c ipv4: Use frag list abstraction interfaces. 2009-06-09 00:19:37 -07:00
ip_gre.c gre: fix ToS/DiffServ inherit bug 2009-07-14 09:35:59 -07:00
ip_input.c inet: Call skb_orphan before tproxy activates 2009-06-26 19:22:37 -07:00
ip_options.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
ip_output.c net: ip_push_pending_frames() fix 2009-07-11 20:26:21 -07:00
ip_sockglue.c net: skb->rtable accessor 2009-06-03 02:51:02 -07:00
ipcomp.c
ipconfig.c ipv4: teach ipconfig about the MTU option in DHCP 2009-05-19 15:36:17 -07:00
ipip.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
ipmr.c PIM-SM: namespace changes 2009-06-14 03:16:13 -07:00
netfilter.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
proc.c snmp: add missing counters for RFC 4293 2009-04-27 02:45:02 -07:00
protocol.c
raw.c net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
route.c ipv4 routing: Ensure that route cache entries are usable and reclaimable with caching is off 2009-06-23 16:36:26 -07:00
syncookies.c syncookies: remove last_synq_overflow from struct tcp_sock 2009-04-20 02:25:26 -07:00
sysctl_net_ipv4.c
tcp.c net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
tcp_bic.c
tcp_cong.c Networking: use CAP_NET_ADMIN when deciding to call request_module 2009-08-14 11:18:34 +10:00
tcp_cubic.c
tcp_diag.c
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: fix loop in ofo handling code and reduce its complexity 2009-05-29 15:02:29 -07:00
tcp_ipv4.c tcp: Use correct peer adr when copying MD5 keys 2009-07-20 07:49:08 -07:00
tcp_lp.c
tcp_minisocks.c tcp: missing check ACK flag of received segment in FIN-WAIT-2 state 2009-06-25 20:03:15 -07:00
tcp_output.c tcp: Fix MD5 signature checking on IPv4 mapped sockets 2009-07-20 07:49:07 -07:00
tcp_probe.c
tcp_scalable.c
tcp_timer.c
tcp_vegas.c tcp: tcp_vegas ssthresh bugfix 2009-05-25 22:44:59 -07:00
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
udp_impl.h
udplite.c
xfrm4_input.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm4_output.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xfrm4_policy.c xfrm4: fix the ports decode of sctp protocol 2009-07-03 19:10:06 -07:00
xfrm4_state.c
xfrm4_tunnel.c