[RFC PATCH 2/2] security: allow reads from an open /proc/kmsg fd by unprivileged processes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sergey Vlasov <vsu@altlinux.ru>
To: Chris Wright <chrisw@sous-sol.org>
Cc: Zack Weinberg <zackw@panix.com>,
	linux-kernel@vger.kernel.org, Sergey Vlasov <vsu@altlinux.ru>
Subject: [RFC PATCH 2/2] security: allow reads from an open /proc/kmsg fd by unprivileged processes
Date: Wed,  8 Nov 2006 15:45:45 +0300	[thread overview]
Message-ID: <11629899491709-git-send-email-vsu@altlinux.ru> (raw)
In-Reply-To: <11629899452160-git-send-email-vsu@altlinux.ru>

With the added check for syslog open rights in sys_syslog() it is
possible to relax restrictions on syslog access in cap_syslog() and
dummy_syslog(), so that a process could open /proc/kmsg, then drop all
privileges including CAP_SYS_ADMIN, and still be able to use the
/proc/kmsg file descriptor for reading kernel messages.

selinux_syslog() is not modified - a process which handles kernel
messages still needs to have the "syslog_mod" permission.

Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
---
 security/commoncap.c |   24 +++++++++++++++++++++---
 security/dummy.c     |   24 +++++++++++++++++++++---
 2 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index f50fc29..966cfce 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -311,9 +311,27 @@ void cap_task_reparent_to_init (struct t
 
 int cap_syslog (int type)
 {
-	if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
-		return -EPERM;
-	return 0;
+	switch (type) {
+	case 3:		/* Read last kernel messages */
+	case 10:	/* Size of the log buffer */
+		/* Allow dmesg for unprivileged users. */
+		return 0;
+
+	case 2:		/* Read from log */
+	case 9:		/* Number of chars in the log buffer */
+		/*
+		 * Allow read() and poll() on a /proc/kmsg file descriptor
+		 * opened by a privileged process.  This does not enable
+		 * uncontrolled access through the syslog system call, because
+		 * sys_syslog() additionally checks the syslog open permission.
+		 */
+		return 0;
+
+	default:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
+		return 0;
+	}
 }
 
 int cap_vm_enough_memory(long pages)
diff --git a/security/dummy.c b/security/dummy.c
index 58c6d39..3da65fe 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -96,9 +96,27 @@ static int dummy_quota_on (struct dentry
 
 static int dummy_syslog (int type)
 {
-	if ((type != 3 && type != 10) && current->euid)
-		return -EPERM;
-	return 0;
+	switch (type) {
+	case 3:		/* Read last kernel messages */
+	case 10:	/* Size of the log buffer */
+		/* Allow dmesg for unprivileged users. */
+		return 0;
+
+	case 2:		/* Read from log */
+	case 9:		/* Number of chars in the log buffer */
+		/*
+		 * Allow read() and poll() on a /proc/kmsg file descriptor
+		 * opened by a privileged process.  This does not enable
+		 * uncontrolled access through the syslog system call, because
+		 * sys_syslog() additionally checks the syslog open permission.
+		 */
+		return 0;
+
+	default:
+		if (current->euid)
+			return -EPERM;
+		return 0;
+	}
 }
 
 static int dummy_settime(struct timespec *ts, struct timezone *tz)
-- 
1.4.3.3.gddcc6

next prev parent reply	other threads:[~2006-11-08 12:45 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-08  4:16 RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg Zack Weinberg
2006-11-08 10:20 ` Chris Wright
2006-11-08 12:42   ` Sergey Vlasov
2006-11-08 12:45     ` [RFC PATCH 1/2] sys_syslog: check open permission for reading and getting unread count Sergey Vlasov
2006-11-08 12:45       ` Sergey Vlasov [this message]
2006-11-09  4:14     ` RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg Chris Wright
2006-11-09 14:50       ` Stephen Smalley
2006-11-09 16:08         ` Zack Weinberg
2006-11-09 16:40           ` Stephen Smalley
2006-11-09 17:39             ` Zack Weinberg
2006-11-09 20:53               ` Stephen Smalley
2006-11-10  0:40                 ` Zack Weinberg

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f50fc29 dfblob:966cfce dfblob:58c6d39 dfblob:3da65fe )
 OR (
bs:"[RFC PATCH 2/2] security: allow reads from an open /proc/kmsg fd by unprivileged processes" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=11629899491709-git-send-email-vsu@altlinux.ru \
    --to=vsu@altlinux.ru \
    --cc=chrisw@sous-sol.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=zackw@panix.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.