Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

From: Rusty Russell
Date: Mon Apr 24 2017 - 00:32:30 EST


Djalal Harouni <tixxdz@xxxxxxxxx> writes:
> When value is (1), task must have CAP_SYS_MODULE to be able to trigger a
> module auto-load operation, or CAP_NET_ADMIN for modules with a
> 'netdev-%s' alias.

Sorry, the magic 'netdev-' prefix is a crawling horror. To do this
properly, you need to hand the capability (if any) from the
request_module() call. Probably by adding a new request_module_cap and
making request_module() call that, then fixing up the callers.

Cheers,
Rusty.