Re: [PATCH 4/7] add missing module_alias_subsys

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Harald Welte <laforge@netfilter.org>
Cc: Netfilter Development Mailinglist
	<netfilter-devel@lists.netfilter.org>,
	Pablo Neira <pablo@netfilter.org>
Subject: Re: [PATCH 4/7] add missing module_alias_subsys
Date: Sat, 05 Nov 2005 12:56:06 +0100	[thread overview]
Message-ID: <436C9DD6.8090101@trash.net> (raw)
In-Reply-To: <20051105115337.GB16000@sunbeam.de.gnumonks.org>

Harald Welte wrote:
> On Sat, Nov 05, 2005 at 08:31:08AM +0100, Patrick McHardy wrote:
> 
>>Pablo Neira wrote:
>>
>>>Add missing module alias. This is a must to load ctnetlink on demand.
>>>For example, the conntrack tool will fail if the module isn't loaded.
>>
>>I don't think this is a good idea currently. Capability checking is
>>done after module autoloading, so any user can load ctnetlink,
>>ip_conntrack and all related modules. 
> 
> interesting point, thanks for mentioning it.
> 
> 
>>Please make sure to move capability checking in nfnetlink before
>>module loading first.
> 
> 
> This unfortunately doesn't work with the current architecture, where
> every nfnetlink subsystem can specifiy the required capabilities per
> message.  That specification isn't available before loading the module,
> though.

Didn't we decide to remove the per-subsys capabilities and make all
of them require CAP_NET_ADMIN?

> I think we can (in addition to our usual capability checks) add a
> capability check to only do autoloading of a module if CAP_NET_ADMIN is
> set.  Like:

That also a possiblity, but I can't think of a case where we wouldn't
insist on CAP_NET_ADMIN, so just removing the whole per-subsys
capabilities seems easier to me.

next prev parent reply	other threads:[~2005-11-05 11:56 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-04 18:00 [PATCH 4/7] add missing module_alias_subsys Pablo Neira
2005-11-05  7:31 ` Patrick McHardy
2005-11-05 11:53   ` Harald Welte
2005-11-05 11:56     ` Patrick McHardy [this message]
2005-11-05 12:28       ` Harald Welte
2005-11-05 12:30         ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=436C9DD6.8090101@trash.net \
    --to=kaber@trash.net \
    --cc=laforge@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.