Stephen Hemminger wrote: > No capability check needed. Any additional paranoia belongs in /sbin/modprobe. > > There seems to be lots of existing usage where a user can cause a module > to be loaded (see bin_fmt, xtables, etc).
x_tables is restricted to CAP_NET_ADMIN, but in net/ alone we have __sock_create (loads protocol families), sock_ioctl (loads bridge, vlan or dlci), the already mentioned netlink case, inet_create (loads IP protocols), inet6_create (similar to inet_create), and a few more. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html