[PATCH 4/7] add missing module_alias_subsys
Patrick McHardy
kaber at trash.net
Sat Nov 5 12:56:06 CET 2005
Harald Welte wrote:
> On Sat, Nov 05, 2005 at 08:31:08AM +0100, Patrick McHardy wrote:
>
>>Pablo Neira wrote:
>>
>>>Add missing module alias. This is a must to load ctnetlink on demand.
>>>For example, the conntrack tool will fail if the module isn't loaded.
>>
>>I don't think this is a good idea currently. Capability checking is
>>done after module autoloading, so any user can load ctnetlink,
>>ip_conntrack and all related modules.
>
> interesting point, thanks for mentioning it.
>
>
>>Please make sure to move capability checking in nfnetlink before
>>module loading first.
>
>
> This unfortunately doesn't work with the current architecture, where
> every nfnetlink subsystem can specifiy the required capabilities per
> message. That specification isn't available before loading the module,
> though.
Didn't we decide to remove the per-subsys capabilities and make all
of them require CAP_NET_ADMIN?
> I think we can (in addition to our usual capability checks) add a
> capability check to only do autoloading of a module if CAP_NET_ADMIN is
> set. Like:
That also a possiblity, but I can't think of a case where we wouldn't
insist on CAP_NET_ADMIN, so just removing the whole per-subsys
capabilities seems easier to me.
More information about the netfilter-devel
mailing list