The module loader will reject unsigned modules from loading if such a module attempts to import a symbol which has the import protection bit set in the kflagstab entry for the symbol.
Signed-off-by: Siddharth Nayyar <[email protected]> Reviewed-by: Petr Pavlu <[email protected]> --- kernel/module/internal.h | 1 + kernel/module/main.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/kernel/module/internal.h b/kernel/module/internal.h index 061161cc79d9..98faaf8900aa 100644 --- a/kernel/module/internal.h +++ b/kernel/module/internal.h @@ -108,6 +108,7 @@ struct find_symbol_arg { const u32 *crc; const struct kernel_symbol *sym; enum mod_license license; + bool is_protected; }; /* modules using other modules */ diff --git a/kernel/module/main.c b/kernel/module/main.c index f5f9872dc070..c27df62a68f5 100644 --- a/kernel/module/main.c +++ b/kernel/module/main.c @@ -380,6 +380,7 @@ static bool find_exported_symbol_in_section(const struct symsearch *syms, fsa->crc = symversion(syms->crcs, sym - syms->start); fsa->sym = sym; fsa->license = (sym_flags & KSYM_FLAG_GPL_ONLY) ? GPL_ONLY : NOT_GPL_ONLY; + fsa->is_protected = sym_flags & KSYM_FLAG_PROTECTED; return true; } @@ -1267,6 +1268,13 @@ static const struct kernel_symbol *resolve_symbol(struct module *mod, goto getname; } + if (fsa.is_protected && !mod->sig_ok) { + pr_warn("%s: Cannot use protected symbol %s\n", + mod->name, name); + fsa.sym = ERR_PTR(-EACCES); + goto getname; + } + err = ref_module(mod, fsa.owner); if (err) { fsa.sym = ERR_PTR(err); @@ -1550,7 +1558,7 @@ static int simplify_symbols(struct module *mod, const struct load_info *info) break; ret = PTR_ERR(ksym) ?: -ENOENT; - pr_warn("%s: Unknown symbol %s (err %d)\n", + pr_warn("%s: Unresolved symbol %s (err %d)\n", mod->name, name, ret); break; -- 2.51.0.740.g6adb054d12-goog
