[RFC PATCH 2/2] security: allow reads from an open /proc/kmsg fd by unprivileged processes

From: Sergey Vlasov
Date: Wed Nov 08 2006 - 07:46:28 EST

Next message: Akinobu Mita: "[PATCH] drm: fix return value check"
Previous message: Sergey Vlasov: "[RFC PATCH 1/2] sys_syslog: check open permission for reading and getting unread count"
In reply to: Sergey Vlasov: "[RFC PATCH 1/2] sys_syslog: check open permission for reading and getting unread count"
Next in thread: Chris Wright: "Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With the added check for syslog open rights in sys_syslog() it is
possible to relax restrictions on syslog access in cap_syslog() and
dummy_syslog(), so that a process could open /proc/kmsg, then drop all
privileges including CAP_SYS_ADMIN, and still be able to use the
/proc/kmsg file descriptor for reading kernel messages.

selinux_syslog() is not modified - a process which handles kernel
messages still needs to have the "syslog_mod" permission.

Signed-off-by: Sergey Vlasov <vsu@xxxxxxxxxxx>
---
security/commoncap.c | 24 +++++++++++++++++++++---
security/dummy.c | 24 +++++++++++++++++++++---
2 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index f50fc29..966cfce 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -311,9 +311,27 @@ void cap_task_reparent_to_init (struct t

int cap_syslog (int type)
{
- if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
- return -EPERM;
- return 0;
+ switch (type) {
+ case 3: /* Read last kernel messages */
+ case 10: /* Size of the log buffer */
+ /* Allow dmesg for unprivileged users. */
+ return 0;
+
+ case 2: /* Read from log */
+ case 9: /* Number of chars in the log buffer */
+ /*
+ * Allow read() and poll() on a /proc/kmsg file descriptor
+ * opened by a privileged process. This does not enable
+ * uncontrolled access through the syslog system call, because
+ * sys_syslog() additionally checks the syslog open permission.
+ */
+ return 0;
+
+ default:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ return 0;
+ }
}

int cap_vm_enough_memory(long pages)
diff --git a/security/dummy.c b/security/dummy.c
index 58c6d39..3da65fe 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -96,9 +96,27 @@ static int dummy_quota_on (struct dentry

static int dummy_syslog (int type)
{
- if ((type != 3 && type != 10) && current->euid)
- return -EPERM;
- return 0;
+ switch (type) {
+ case 3: /* Read last kernel messages */
+ case 10: /* Size of the log buffer */
+ /* Allow dmesg for unprivileged users. */
+ return 0;
+
+ case 2: /* Read from log */
+ case 9: /* Number of chars in the log buffer */
+ /*
+ * Allow read() and poll() on a /proc/kmsg file descriptor
+ * opened by a privileged process. This does not enable
+ * uncontrolled access through the syslog system call, because
+ * sys_syslog() additionally checks the syslog open permission.
+ */
+ return 0;
+
+ default:
+ if (current->euid)
+ return -EPERM;
+ return 0;
+ }
}

static int dummy_settime(struct timespec *ts, struct timezone *tz)
--
1.4.3.3.gddcc6

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Akinobu Mita: "[PATCH] drm: fix return value check"
Previous message: Sergey Vlasov: "[RFC PATCH 1/2] sys_syslog: check open permission for reading and getting unread count"
In reply to: Sergey Vlasov: "[RFC PATCH 1/2] sys_syslog: check open permission for reading and getting unread count"
Next in thread: Chris Wright: "Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]