diff options
| author | archie <archie@FreeBSD.org> | 2000-06-29 17:57:04 +0000 |
|---|---|---|
| committer | archie <archie@FreeBSD.org> | 2000-06-29 17:57:04 +0000 |
| commit | 0e6c8a1f1b5b88304acc6fb5ca49cd82b9372dbb (patch) | |
| tree | e1d0482a4b78d57d4926a5ec74aad86179811959 /sys | |
| parent | 32a6eb4143857bbc839f3923272c0a7469e5ff68 (diff) | |
| download | FreeBSD-src-0e6c8a1f1b5b88304acc6fb5ca49cd82b9372dbb.zip FreeBSD-src-0e6c8a1f1b5b88304acc6fb5ca49cd82b9372dbb.tar.gz | |
Move the securelevel check before loading KLD's into linker_load_file(),
instead of requiring every caller of linker_load_file() to perform the
check itself. This avoids netgraph loading KLD's when securelevel > 0,
not to mention any future code that may call linker_load_file().
Reviewed by: dfr
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_linker.c | 12 | ||||
| -rw-r--r-- | sys/kern/vfs_extattr.c | 5 | ||||
| -rw-r--r-- | sys/kern/vfs_syscalls.c | 5 |
3 files changed, 10 insertions, 12 deletions
diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index bb764f4..f81e000 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -301,6 +301,10 @@ linker_load_file(const char* filename, linker_file_t* result) linker_file_t lf; int foundfile, error = 0; + /* Refuse to load modules if securelevel raised */ + if (securelevel > 0) + return EPERM; + lf = linker_find_file_by_name(filename); if (lf) { KLD_DPF(FILE, ("linker_load_file: file %s is already loaded, incrementing refs\n", filename)); @@ -425,6 +429,10 @@ linker_file_unload(linker_file_t file) int error = 0; int i; + /* Refuse to unload modules if securelevel raised */ + if (securelevel > 0) + return EPERM; + KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs)); lockmgr(&lock, LK_EXCLUSIVE, 0, curproc); if (file->refs == 1) { @@ -678,7 +686,7 @@ kldload(struct proc* p, struct kldload_args* uap) p->p_retval[0] = -1; - if (securelevel > 0) + if (securelevel > 0) /* redundant, but that's OK */ return EPERM; if ((error = suser(p)) != 0) @@ -721,7 +729,7 @@ kldunload(struct proc* p, struct kldunload_args* uap) linker_file_t lf; int error = 0; - if (securelevel > 0) + if (securelevel > 0) /* redundant, but that's OK */ return EPERM; if ((error = suser(p)) != 0) diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 57a844d..5c808bd 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -225,11 +225,6 @@ mount(p, uap) if (vfsp == NULL) { linker_file_t lf; - /* Refuse to load modules if securelevel raised */ - if (securelevel > 0) { - vput(vp); - return EPERM; - } /* Only load modules for root (very important!) */ if ((error = suser(p)) != 0) { vput(vp); diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 57a844d..5c808bd 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -225,11 +225,6 @@ mount(p, uap) if (vfsp == NULL) { linker_file_t lf; - /* Refuse to load modules if securelevel raised */ - if (securelevel > 0) { - vput(vp); - return EPERM; - } /* Only load modules for root (very important!) */ if ((error = suser(p)) != 0) { vput(vp); |
