From: Emrah Demir <ed@abdsec.com>
To: Kees Cook <keescook@chromium.org>
Cc: Baoquan He <bhe@redhat.com>,
Freeman Zhang <freeman.zhang1992@gmail.com>,
Kexec Mailing List <kexec@lists.infradead.org>,
Zhengyu Zhang <zhezhang@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
keescook@google.com, Dave Young <dyoung@redhat.com>
Subject: Re: Removal of the kernel code/data/bss resources does break kexec/kdump
Date: Fri, 15 Apr 2016 11:46:47 -0400 [thread overview]
Message-ID: <0cc6c4836fae00b175b4595446e1ed4f@abdsec.com> (raw)
In-Reply-To: <CAGXu5jLRnabqSBjdPoaAs-h2VCd_Hn3=hj3JSWTsJvi-cPEjtg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]
On 2016-04-15 00:41, Kees Cook wrote:
> On Thu, Apr 14, 2016 at 6:02 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>> On Thu, Apr 14, 2016 at 1:27 PM, Emrah Demir <ed@abdsec.com> wrote:
>>> On 2016-04-14 13:40, Linus Torvalds wrote:
>> I've pushed out my attempt at fixing things properly. Please check
>> that kexec works - and if kexec ends up reading that file as non-root,
>> I don't know what to say/do.
>>
>> Here's the three relevant cases:
>>
>> cat /proc/iomem
>> sudo cat /proc/iomem
>> sudo cat < /proc/iomem
>>
>> and two of them will now show the resource ranges as just plain
>> zeroes. But yes, it needed extra infrastructure to be able to get this
>> right.
>>
>
> Yup, that's why I was saying I was going to try to cook something up
> for -next. It isn't a trivial change. :) Thanks for fixing it up!
>
file_ns_capable bring some problems. I used capable and now there is no
problem as far as I tested.
It'is attached.
Note: I couldn't write "Noted-by:, Reported-by:" Could you write them
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-proc-iomem-only-expose-physical-resource-addresses-t.patch --]
[-- Type: text/x-diff; name=0001-proc-iomem-only-expose-physical-resource-addresses-t.patch, Size: 1918 bytes --]
From 3f17bf8b1e9e129cdaf478a9e83a648b27f6fe73 Mon Sep 17 00:00:00 2001
From: Emrah Demir <ed@abdsec.com>
Date: Fri, 15 Apr 2016 18:34:12 +0300
Subject: [PATCH] /proc/iomem: only expose physical resource addresses to top
user fixing capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In commit 51d7b120418e99d6b3bf8df9eb3cc31e8171dee4
file_ns_capable used in order to show value as 0, but while building
some problems coming up.
kernel/resource.c: In function ‘r_show’:
kernel/resource.c:116:23: error: ‘struct seq_file’ has no member named ‘file’
if (file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) {
^
scripts/Makefile.build:291: recipe for target 'kernel/resource.o' failed
make[1]: *** [kernel/resource.o] Error 1
so instead of file_ns_capable using capable solves problem.
It's now working.
ltr@reces-0:~$ cat /proc/iomem
00000000-00000000 : reserved
00000000-00000000 : System RAM
00000000-00000000 : reserved
00000000-00000000 : PCI Bus 0000:00
00000000-00000000 : Video ROM
00000000-00000000 : Adapter ROM
00000000-00000000 : reserved
root@reces-0:/home/ltr# cat /proc/iomem
00000000-00000fff : reserved
00001000-0009dbff : System RAM
0009dc00-0009ffff : reserved
000a0000-000bffff : PCI Bus 0000:00
000c0000-000cedff : Video ROM
000cf000-000cffff : Adapter ROM
000e0000-000fffff : reserved
Signed-off-by: Emrah Demir <ed@abdsec.com>
---
kernel/resource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index c7727db..52a27e3 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -113,7 +113,7 @@ static int r_show(struct seq_file *m, void *v)
if (p->parent == root)
break;
- if (file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) {
+ if (capable(CAP_SYS_ADMIN)) {
start = r->start;
end = r->end;
} else {
--
2.8.0.rc3
[-- Attachment #3: Type: text/plain, Size: 143 bytes --]
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-04-15 15:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-14 10:14 Removal of the kernel code/data/bss resources does break kexec/kdump Freeman Zhang
2016-04-14 11:07 ` Emrah Demir
2016-04-14 17:40 ` Linus Torvalds
2016-04-14 20:27 ` Emrah Demir
2016-04-15 1:02 ` Linus Torvalds
2016-04-15 4:41 ` Kees Cook
2016-04-15 15:46 ` Emrah Demir [this message]
2016-04-15 16:48 ` Linus Torvalds
2016-04-15 17:08 ` Emrah Demir
2016-04-19 9:04 ` Dave Young
2016-04-19 16:20 ` Linus Torvalds
2016-04-20 1:13 ` Dave Young
2016-04-14 11:26 ` Baoquan He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0cc6c4836fae00b175b4595446e1ed4f@abdsec.com \
--to=ed@abdsec.com \
--cc=bhe@redhat.com \
--cc=dyoung@redhat.com \
--cc=freeman.zhang1992@gmail.com \
--cc=keescook@chromium.org \
--cc=keescook@google.com \
--cc=kexec@lists.infradead.org \
--cc=torvalds@linux-foundation.org \
--cc=zhezhang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox