Move the securelevel check before loading KLD's into linker_load_file(),

instead of requiring every caller of linker_load_file() to perform the
check itself. This avoids netgraph loading KLD's when securelevel > 0,
not to mention any future code that may call linker_load_file().

Reviewed by:	dfr

1 files changed, 10 insertions, 2 deletions

diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c
index bb764f4..f81e000 100644
--- a/sys/kern/kern_linker.c
+++ b/sys/kern/kern_linker.c
@@ -301,6 +301,10 @@ linker_load_file(const char* filename, linker_file_t* result)
     linker_file_t lf;
     int foundfile, error = 0;
 
+    /* Refuse to load modules if securelevel raised */
+    if (securelevel > 0)
+	return EPERM; 
+
     lf = linker_find_file_by_name(filename);
     if (lf) {
 	KLD_DPF(FILE, ("linker_load_file: file %s is already loaded, incrementing refs\n", filename));
@@ -425,6 +429,10 @@ linker_file_unload(linker_file_t file)
     int error = 0;
     int i;
 
+    /* Refuse to unload modules if securelevel raised */
+    if (securelevel > 0)
+	return EPERM; 
+
     KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs));
     lockmgr(&lock, LK_EXCLUSIVE, 0, curproc);
     if (file->refs == 1) {
@@ -678,7 +686,7 @@ kldload(struct proc* p, struct kldload_args* uap)
 
     p->p_retval[0] = -1;
 
-    if (securelevel > 0)
+    if (securelevel > 0)	/* redundant, but that's OK */
 	return EPERM;
 
     if ((error = suser(p)) != 0)
@@ -721,7 +729,7 @@ kldunload(struct proc* p, struct kldunload_args* uap)
     linker_file_t lf;
     int error = 0;
 
-    if (securelevel > 0)
+    if (securelevel > 0)	/* redundant, but that's OK */
 	return EPERM;
 
     if ((error = suser(p)) != 0)