Date: Thu, 23 May 1996 08:04:34 -0500 (CDT) From: Alex Nash <alex@fa.tdktca.com> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/1238: LKM security patch for 2.1.0-STABLE Message-ID: <199605231304.IAA28940@fa.tdktca.com> Resent-Message-ID: <199605231310.GAA10811@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1238
>Category: kern
>Synopsis: LKM security improvement in -current not merged into -stable
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu May 23 06:10:02 PDT 1996
>Last-Modified:
>Originator: Alex Nash
>Organization:
>Release: FreeBSD 2.1-STABLE i386
>Environment:
FreeBSD 2.1.0-STABLE systems using LKMs.
>Description:
FreeBSD -current disallows loading/unloading of LKMs when securelevel
is greater than 0. This addition was not merged into -stable.
>How-To-Repeat:
Perform module load/unload operations while securelevel > 0.
>Fix:
Test for securelevel > 0 during ioctl() operations.
*** /usr/src/sys/kern/kern_lkm.c Thu Sep 14 03:44:28 1995
--- kern_lkm.c Thu May 23 07:52:03 1996
***************
*** 191,197 ****
switch(cmd) {
case LMRESERV: /* reserve pages for a module */
! if ((flag & FWRITE) == 0) /* only allow this if writing */
return EPERM;
resrvp = (struct lmc_resrv *)data;
--- 191,198 ----
switch(cmd) {
case LMRESERV: /* reserve pages for a module */
! if ((flag & FWRITE) == 0 || securelevel > 0)
! /* only allow this if writing */
return EPERM;
resrvp = (struct lmc_resrv *)data;
***************
*** 231,237 ****
break;
case LMLOADBUF: /* Copy in; stateful, follows LMRESERV */
! if ((flag & FWRITE) == 0) /* only allow this if writing */
return EPERM;
loadbufp = (struct lmc_loadbuf *)data;
--- 232,239 ----
break;
case LMLOADBUF: /* Copy in; stateful, follows LMRESERV */
! if ((flag & FWRITE) == 0 || securelevel > 0)
! /* only allow this if writing */
return EPERM;
loadbufp = (struct lmc_loadbuf *)data;
***************
*** 266,272 ****
break;
case LMUNRESRV: /* discard reserved pages for a module */
! if ((flag & FWRITE) == 0) /* only allow this if writing */
return EPERM;
lkmunreserve(); /* coerce state to LKM_IDLE */
--- 268,275 ----
break;
case LMUNRESRV: /* discard reserved pages for a module */
! if ((flag & FWRITE) == 0 || securelevel > 0)
! /* only allow this if writing */
return EPERM;
lkmunreserve(); /* coerce state to LKM_IDLE */
***************
*** 276,282 ****
break;
case LMREADY: /* module loaded: call entry */
! if ((flag & FWRITE) == 0) /* only allow this if writing */
return EPERM;
switch (lkm_state) {
--- 279,286 ----
break;
case LMREADY: /* module loaded: call entry */
! if ((flag & FWRITE) == 0 || securelevel > 0)
! /* only allow this if writing */
return EPERM;
switch (lkm_state) {
***************
*** 338,344 ****
break;
case LMUNLOAD: /* unload a module */
! if ((flag & FWRITE) == 0) /* only allow this if writing */
return EPERM;
unloadp = (struct lmc_unload *)data;
--- 342,349 ----
break;
case LMUNLOAD: /* unload a module */
! if ((flag & FWRITE) == 0 || securelevel > 0)
! /* only allow this if writing */
return EPERM;
unloadp = (struct lmc_unload *)data;
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605231304.IAA28940>