From alex@fa.tdktca.com  Thu May 23 06:04:20 1996
Received: from shogun.tdktca.com ([206.26.1.21])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id GAA10393
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 May 1996 06:04:19 -0700 (PDT)
Received: from shogun.tdktca.com (daemon@localhost) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id IAA01627 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 May 1996 08:05:57 -0500 (CDT)
Received: from fa.tdktca.com (bsd.fa.tdktca.com [163.49.131.129]) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id IAA01623 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 May 1996 08:05:56 -0500 (CDT)
Received: (from alex@localhost) by fa.tdktca.com (8.7.5/8.6.12) id IAA28940; Thu, 23 May 1996 08:04:34 -0500 (CDT)
Message-Id: <199605231304.IAA28940@fa.tdktca.com>
Date: Thu, 23 May 1996 08:04:34 -0500 (CDT)
From: Alex Nash <alex@fa.tdktca.com>
Reply-To: nash@mcs.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: LKM security patch for 2.1.0-STABLE
X-Send-Pr-Version: 3.2

>Number:         1238
>Category:       kern
>Synopsis:       LKM security improvement in -current not merged into -stable
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    alex
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 23 06:10:02 PDT 1996
>Closed-Date:    Thu May 30 18:45:16 PDT 1996
>Last-Modified:  Thu May 30 18:46:54 PDT 1996
>Originator:     Alex Nash
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
>Environment:

FreeBSD 2.1.0-STABLE systems using LKMs.

>Description:

FreeBSD -current disallows loading/unloading of LKMs when securelevel
is greater than 0.  This addition was not merged into -stable.

>How-To-Repeat:

Perform module load/unload operations while securelevel > 0.

>Fix:
	
Test for securelevel > 0 during ioctl() operations.

*** /usr/src/sys/kern/kern_lkm.c	Thu Sep 14 03:44:28 1995
--- kern_lkm.c	Thu May 23 07:52:03 1996
***************
*** 191,197 ****
  
  	switch(cmd) {
  	case LMRESERV:		/* reserve pages for a module */
! 		if ((flag & FWRITE) == 0) /* only allow this if writing */
  			return EPERM;
  
  		resrvp = (struct lmc_resrv *)data;
--- 191,198 ----
  
  	switch(cmd) {
  	case LMRESERV:		/* reserve pages for a module */
! 		if ((flag & FWRITE) == 0 || securelevel > 0) 
! 			/* only allow this if writing */
  			return EPERM;
  
  		resrvp = (struct lmc_resrv *)data;
***************
*** 231,237 ****
  		break;
  
  	case LMLOADBUF:		/* Copy in; stateful, follows LMRESERV */
! 		if ((flag & FWRITE) == 0) /* only allow this if writing */
  			return EPERM;
  
  		loadbufp = (struct lmc_loadbuf *)data;
--- 232,239 ----
  		break;
  
  	case LMLOADBUF:		/* Copy in; stateful, follows LMRESERV */
! 		if ((flag & FWRITE) == 0 || securelevel > 0) 
! 			/* only allow this if writing */
  			return EPERM;
  
  		loadbufp = (struct lmc_loadbuf *)data;
***************
*** 266,272 ****
  		break;
  
  	case LMUNRESRV:		/* discard reserved pages for a module */
! 		if ((flag & FWRITE) == 0) /* only allow this if writing */
  			return EPERM;
  
  		lkmunreserve();	/* coerce state to LKM_IDLE */
--- 268,275 ----
  		break;
  
  	case LMUNRESRV:		/* discard reserved pages for a module */
! 		if ((flag & FWRITE) == 0 || securelevel > 0) 
! 			/* only allow this if writing */
  			return EPERM;
  
  		lkmunreserve();	/* coerce state to LKM_IDLE */
***************
*** 276,282 ****
  		break;
  
  	case LMREADY:		/* module loaded: call entry */
! 		if ((flag & FWRITE) == 0) /* only allow this if writing */
  			return EPERM;
  
  		switch (lkm_state) {
--- 279,286 ----
  		break;
  
  	case LMREADY:		/* module loaded: call entry */
! 		if ((flag & FWRITE) == 0 || securelevel > 0) 
! 			/* only allow this if writing */
  			return EPERM;
  
  		switch (lkm_state) {
***************
*** 338,344 ****
  		break;
  
  	case LMUNLOAD:		/* unload a module */
! 		if ((flag & FWRITE) == 0) /* only allow this if writing */
  			return EPERM;
  
  		unloadp = (struct lmc_unload *)data;
--- 342,349 ----
  		break;
  
  	case LMUNLOAD:		/* unload a module */
! 		if ((flag & FWRITE) == 0 || securelevel > 0) 
! 			/* only allow this if writing */
  			return EPERM;
  
  		unloadp = (struct lmc_unload *)data;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->alex 
Responsible-Changed-By: alex 
Responsible-Changed-When: Wed May 29 16:39:11 PDT 1996 
Responsible-Changed-Why:  
I now have a chance to fix the things I complained about :) 
State-Changed-From-To: open->closed 
State-Changed-By: alex 
State-Changed-When: Thu May 30 18:45:16 PDT 1996 
State-Changed-Why:  
Merged fix from -current. 
>Unformatted:
