sys-apps/kmod/files/kmod-24-no-run.patch - third_party/overlays/chromiumos-overlay - Git at Google

 We never generate fragments in /run for modutils to utilize, so disable that
 logic entirely.  This avoids random exploits where tools can write to the /run
 path and then trigger module loading via other means (which runs as root).

 https://crbug.com/780039

 --- a/libkmod/libkmod.c
 +++ b/libkmod/libkmod.c
 @@ -62,7 +62,6 @@ static struct _index_files {

  static const char *default_config_paths[] = {
  	SYSCONFDIR "/modprobe.d",
 -	"/run/modprobe.d",
  	"/lib/modprobe.d",
  	NULL
  };
 --- a/tools/depmod.c
 +++ b/tools/depmod.c
 @@ -49,7 +49,6 @@ static int verbose = DEFAULT_VERBOSE;

  static const char CFG_BUILTIN_KEY[] = "built-in";
  static const char *default_cfg_paths[] = {
 -	"/run/depmod.d",
  	SYSCONFDIR "/depmod.d",
  	"/lib/depmod.d",
  	NULL
	We never generate fragments in /run for modutils to utilize, so disable that
	logic entirely. This avoids random exploits where tools can write to the /run
	path and then trigger module loading via other means (which runs as root).

	https://crbug.com/780039

	--- a/libkmod/libkmod.c
	+++ b/libkmod/libkmod.c
	@@ -62,7 +62,6 @@ static struct _index_files {

	static const char *default_config_paths[] = {
	SYSCONFDIR "/modprobe.d",
	- "/run/modprobe.d",
	"/lib/modprobe.d",
	NULL
	};
	--- a/tools/depmod.c
	+++ b/tools/depmod.c
	@@ -49,7 +49,6 @@ static int verbose = DEFAULT_VERBOSE;

	static const char CFG_BUILTIN_KEY[] = "built-in";
	static const char *default_cfg_paths[] = {
	- "/run/depmod.d",
	SYSCONFDIR "/depmod.d",
	"/lib/depmod.d",
	NULL