kernel-ark/drivers
Eric Paris a8f80e8ff9 Networking: use CAP_NET_ADMIN when deciding to call request_module
The networking code checks CAP_SYS_MODULE before using request_module() to
try to load a kernel module.  While this seems reasonable it's actually
weakening system security since we have to allow CAP_SYS_MODULE for things
like /sbin/ip and bluetoothd which need to be able to trigger module loads.
CAP_SYS_MODULE actually grants those binaries the ability to directly load
any code into the kernel.  We should instead be protecting modprobe and the
modules on disk, rather than granting random programs the ability to load code
directly into the kernel.  Instead we are going to gate those networking checks
on CAP_NET_ADMIN which still limits them to root but which does not grant
those processes the ability to load arbitrary code into the kernel.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: James Morris <jmorris@namei.org>
2009-08-14 11:18:34 +10:00
..
accessibility
acpi Merge branch 'misc-2.6.31' into release 2009-08-02 12:55:51 -04:00
amba
ata libata: accept late unlocking of HPA 2009-07-28 21:07:09 -04:00
atm
auxdisplay
base driver core: sysdev: do not send KOBJ_ADD uevent if kobject_init_and_add fails 2009-07-28 13:45:22 -07:00
block mg_disk: Add missing ready status check on mg_write() 2009-07-28 08:57:33 +02:00
bluetooth
cdrom
char pty: fix data loss when stopped (^S/^Q) 2009-08-10 13:31:18 -07:00
clocksource
connector connector: maintainer/mail update. 2009-07-21 12:43:51 -07:00
cpufreq [CPUFREQ] Make cpufreq suspend code conditional on powerpc. 2009-08-04 14:32:11 -04:00
cpuidle
crypto
dca
dio
dma Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx 2009-07-30 16:46:31 -07:00
edac amd64_edac: print debug statements only on error 2009-08-04 12:10:06 +02:00
eisa
firewire
firmware
gpio
gpu drm/i915: silence vblank warnings 2009-08-09 12:25:29 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2009-07-22 09:30:07 -07:00
hwmon hwmon: (asus_atk0110) Fix upper limit readings 2009-07-28 16:31:39 +02:00
i2c i2c-omap: OMAP3430 Silicon Errata 1.153 2009-07-30 01:03:24 +01:00
ide ide-tape: Don't leak kernel stack information 2009-07-21 20:36:25 -07:00
idle
ieee1394
ieee802154
infiniband
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2009-08-07 10:42:14 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-08-04 15:38:34 -07:00
leds
lguest lguest and virtio: cleanup struct definitions to Linux style. 2009-07-30 16:03:46 +09:30
macintosh
mca
md md: Use revalidate_disk to effect changes in size of device. 2009-08-03 10:59:58 +10:00
media V4L/DVB (12303): cx23885: check pointers before dereferencing in dprintk macro 2009-07-24 14:03:32 -03:00
memstick
message
mfd mfd: twl4030 irq fixes 2009-08-04 20:31:32 +02:00
misc cb710: use SG_MITER_TO_SG/SG_MITER_FROM_SG 2009-07-31 12:28:46 +02:00
mmc drivers/mmc: correct error-handling code 2009-08-07 10:39:56 -07:00
mtd Merge branch 'for-linus' of git://git.infradead.org/ubi-2.6 2009-08-09 14:58:34 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-08-04 15:38:34 -07:00
nubus
of of/mdio: Add support function for Ethernet fixed-link property 2009-07-22 09:27:18 -07:00
oprofile
parisc parisc: hppb.c - fix printk format strings 2009-08-02 15:42:39 +02:00
parport
pci Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6 2009-08-10 11:00:37 -07:00
pcmcia
platform Merge branch 'bugzilla-13825' into release 2009-08-02 12:36:01 -04:00
pnp
power Merge git://git.infradead.org/users/cbou/battery-2.6.31 2009-07-30 16:45:53 -07:00
pps
ps3
rapidio
regulator
rtc rtc: mark if rtc-cmos drivers were successfully registered 2009-07-29 19:10:35 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6 2009-08-04 15:38:10 -07:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-08-04 15:38:34 -07:00
serial Merge master.kernel.org:/home/rmk/linux-2.6-arm 2009-08-07 10:46:51 -07:00
sh
sn
spi spi: omap2_mcspi rxdma bugfix 2009-07-29 19:10:35 -07:00
ssb
staging Networking: use CAP_NET_ADMIN when deciding to call request_module 2009-08-14 11:18:34 +10:00
tc
telephony
thermal
uio
usb USB: fix oops on disconnect in cdc-acm 2009-08-07 16:05:14 -07:00
uwb
video i.MX31: fix framebuffer locking regressions 2009-08-07 10:39:56 -07:00
virtio virtio: refactor find_vqs 2009-07-30 16:03:45 +09:30
vlynq
w1 drivers/w1/masters/omap_hdq.c: fix missing mutex unlock 2009-08-07 10:39:55 -07:00
watchdog Merge master.kernel.org:/home/rmk/linux-2.6-arm 2009-08-07 10:46:51 -07:00
xen
zorro
Kconfig
Makefile