summaryrefslogtreecommitdiff
path: root/SOURCES/mod-denylist.sh
diff options
context:
space:
mode:
authorJan200101 <sentrycraft123@gmail.com>2021-07-21 22:57:09 +0200
committerJan200101 <sentrycraft123@gmail.com>2021-07-21 23:21:30 +0200
commitcca3b28be503223222519e3ebba2749cf24894f3 (patch)
tree9f589ac6e7dc6dd8e9830d675d46efbd25191504 /SOURCES/mod-denylist.sh
parent969572ecac2cb15a106d9e0f5bfa840608faa5b4 (diff)
downloadkernel-fsync-cca3b28be503223222519e3ebba2749cf24894f3.tar.gz
kernel-fsync-cca3b28be503223222519e3ebba2749cf24894f3.zip
kernel 5.13.3
Diffstat (limited to 'SOURCES/mod-denylist.sh')
-rwxr-xr-xSOURCES/mod-denylist.sh164
1 files changed, 164 insertions, 0 deletions
diff --git a/SOURCES/mod-denylist.sh b/SOURCES/mod-denylist.sh
new file mode 100755
index 0000000..6127d14
--- /dev/null
+++ b/SOURCES/mod-denylist.sh
@@ -0,0 +1,164 @@
+#! /bin/bash
+# shellcheck disable=SC2164
+
+RpmDir=$1
+ModDir=$2
+Dir="$1/$2"
+# Note the list filename must have the format mod-[PACKAGE].list, for example,
+# mod-internal.list or mod-extra.list. The PACKAGE is used to create a
+# override directory for the modules.
+List=$3
+Dest="$4"
+
+blacklist()
+{
+ cat > "$RpmDir/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__
+ # This kernel module can be automatically loaded by non-root users. To
+ # enhance system security, the module is blacklisted by default to ensure
+ # system administrators make the module available for use as needed.
+ # See https://access.redhat.com/articles/3760101 for more details.
+ #
+ # Remove the blacklist by adding a comment # at the start of the line.
+ blacklist $1
+__EOF__
+}
+
+check_blacklist()
+{
+ mod=$(find "$RpmDir/$ModDir" -name "$1")
+ [ ! "$mod" ] && return 0
+ if modinfo "$mod" | grep -q '^alias:\s\+net-'; then
+ mod="${1##*/}"
+ mod="${mod%.ko*}"
+ echo "$mod has an alias that allows auto-loading. Blacklisting."
+ blacklist "$mod"
+ fi
+}
+
+find_depends()
+{
+ dep=$1
+ depends=$(modinfo "$dep" | sed -n -e "/^depends/ s/^depends:[ \t]*//p")
+ [ -z "$depends" ] && exit
+ for mod in ${depends//,/ }
+ do
+ match=$(grep "^$mod.ko" "$ListName")
+ [ -z "$match" ] && continue
+ # check if the module we are looking at is in mod-* too.
+ # if so we do not need to mark the dep as required.
+ mod2=${dep##*/} # same as $(basename $dep), but faster
+ match2=$(grep "^$mod2" "$ListName")
+ if [ -n "$match2" ]
+ then
+ #echo $mod2 >> notreq.list
+ continue
+ fi
+ echo "$mod".ko >> req.list
+ done
+}
+
+foreachp()
+{
+ P=$(nproc)
+ bgcount=0
+ while read -r mod; do
+ $1 "$mod" &
+
+ bgcount=$((bgcount + 1))
+ if [ $bgcount -eq "$P" ]; then
+ wait -n
+ bgcount=$((bgcount - 1))
+ fi
+ done
+
+ wait
+}
+
+# Destination was specified on the command line
+test -n "$4" && echo "$0: Override Destination $Dest has been specified."
+
+pushd "$Dir"
+
+OverrideDir=$(basename "$List")
+OverrideDir=${OverrideDir%.*}
+OverrideDir=${OverrideDir#*-}
+mkdir -p "$OverrideDir"
+
+rm -rf modnames
+find . -name "*.ko" -type f > modnames
+# Look through all of the modules, and throw any that have a dependency in
+# our list into the list as well.
+rm -rf dep.list dep2.list
+rm -rf req.list req2.list
+touch dep.list req.list
+cp "$List" .
+
+# This variable needs to be exported because it is used in sub-script
+# executed by xargs
+ListName=$(basename "$List")
+export ListName
+
+foreachp find_depends < modnames
+
+sort -u req.list > req2.list
+sort -u "$ListName" > modules2.list
+join -v 1 modules2.list req2.list > modules3.list
+
+while IFS= read -r mod
+do
+ # get the path for the module
+ modpath=$(grep /"$mod" modnames)
+ [ -z "$modpath" ] && continue
+ echo "$modpath" >> dep.list
+done < modules3.list
+
+sort -u dep.list > dep2.list
+
+if [ -n "$Dest" ]; then
+ # now move the modules into the $Dest directory
+ while IFS= read -r mod
+ do
+ newpath=$(dirname "$mod" | sed -e "s/kernel\\//$Dest\//")
+ mkdir -p "$newpath"
+ mv "$mod" "$newpath"
+ echo "$mod" | sed -e "s/kernel\\//$Dest\//" | sed -e "s|^.|${ModDir}|g" >> "$RpmDir"/"$ListName"
+ done < dep2.list
+fi
+
+popd
+
+# If we're signing modules, we can't leave the .mod files for the .ko files
+# we've moved in .tmp_versions/. Remove them so the Kbuild 'modules_sign'
+# target doesn't try to sign a non-existent file. This is kinda ugly, but
+# so are the modules-* packages.
+
+while IFS= read -r mod
+do
+ modfile=$(basename "$mod" | sed -e 's/.ko/.mod/')
+ rm .tmp_versions/"$modfile"
+done < "$Dir"/dep2.list
+
+if [ -z "$Dest" ]; then
+ sed -e "s|^.|${ModDir}|g" "$Dir"/dep2.list > "$RpmDir/$ListName"
+ echo "./$RpmDir/$ListName created."
+ [ -d "$RpmDir/etc/modprobe.d/" ] || mkdir -p "$RpmDir/etc/modprobe.d/"
+ foreachp check_blacklist < "$List"
+fi
+
+# Many BIOS-es export a PNP-id which causes the floppy driver to autoload
+# even though most modern systems don't have a 3.5" floppy driver anymore
+# this replaces the old die_floppy_die.patch which removed the PNP-id from
+# the module
+
+floppylist=("$RpmDir"/"$ModDir"/kernel/drivers/block/floppy.ko*)
+if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then
+ blacklist "floppy"
+fi
+
+# avoid an empty kernel-extra package
+echo "$ModDir/$OverrideDir" >> "$RpmDir/$ListName"
+
+pushd "$Dir"
+rm modnames dep.list dep2.list req.list req2.list
+rm "$ListName" modules2.list modules3.list
+popd