Re: [PATCH 1/2] module: Restrict module namespace access to in-tree modules

From: Petr Pavlu
Date: Tue Jul 08 2025 - 09:03:29 EST


On 7/8/25 9:28 AM, Vlastimil Babka wrote:
> The module namespace support has been introduced to allow restricting
> exports to specific modules only, and intended for in-tree modules such
> as kvm. Make this intention explicit by disallowing out of tree modules
> both for the module loader and modpost.
>
> Signed-off-by: Vlastimil Babka <vbabka@xxxxxxx>
> ---
> [...]
> diff --git a/kernel/module/main.c b/kernel/module/main.c
> index 413ac6ea37021bc8ae260f624ca2745ed85333fc..ec7d8daa0347e3b65713396d6b6d14c2cb0270d3 100644
> --- a/kernel/module/main.c
> +++ b/kernel/module/main.c
> @@ -1157,7 +1157,8 @@ static int verify_namespace_is_imported(const struct load_info *info,
> namespace = kernel_symbol_namespace(sym);
> if (namespace && namespace[0]) {
>
> - if (verify_module_namespace(namespace, mod->name))
> + if (get_modinfo(info, "intree") &&
> + verify_module_namespace(namespace, mod->name))
> return 0;
>
> for_each_modinfo_entry(imported_namespace, info, "import_ns") {

I'd rather avoid another walk of the modinfo data in
verify_namespace_is_imported(). I suggest checking whether mod->taints
has TAINT_OOT_MODULE set instead, which should provide the same
information. The symbol resolution already relies on the taint flags, so
this is consistent with the rest of the code.

--
Thanks,
Petr