[PATCH] Restrict write access to dmesg

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Restrict write access to dmesg_restrict
@ 2011-03-14 19:35 Richard Weinberger
  2011-03-14 19:49 ` Dan Rosenberg
  2011-03-15 13:46 ` WANG Cong
  0 siblings, 2 replies; 4+ messages in thread
From: Richard Weinberger @ 2011-03-14 19:35 UTC (permalink / raw)
  To: akpm
  Cc: mingo, davem, dzickus, randy.dunlap, drosenberg, linux-kernel,
	Richard Weinberger

When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed
to read the kernel ring buffer.
But a root user without CAP_SYS_ADMIN is able to reset
dmesg_restrict to 0.

This is an issue when e.g. LXC (Linux Containers) are used
and complete user space is running without CAP_SYS_ADMIN.
A unprivileged and jailed root user can bypass the
dmesg_restrict protection.

With this patch writing to dmesg_restrict is only allowed
when root has CAP_SYS_ADMIN.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
 kernel/sysctl.c |   18 +++++++++++++++++-
 1 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 4eed0af..f90c8f6 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *table, int write,
 			       void __user *buffer, size_t *lenp, loff_t *ppos);
 #endif
 
+#ifdef CONFIG_PRINTK
+static int proc_dmesg_restrict(struct ctl_table *table, int write,
+				void __user *buffer, size_t *lenp, loff_t *ppos);
+#endif
+
 #ifdef CONFIG_MAGIC_SYSRQ
 /* Note: sysrq code uses it's own private copy */
 static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
@@ -704,7 +709,7 @@ static struct ctl_table kern_table[] = {
 		.data		= &dmesg_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec_minmax,
+		.proc_handler	= proc_dmesg_restrict,
 		.extra1		= &zero,
 		.extra2		= &one,
 	},
@@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *table, int write,
 	return err;
 }
 
+#ifdef CONFIG_PRINTK
+static int proc_dmesg_restrict(struct ctl_table *table, int write,
+				void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	if (write && !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
+	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+}
+#endif
+
 struct do_proc_dointvec_minmax_conv_param {
 	int *min;
 	int *max;
-- 
1.6.6.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] Restrict write access to dmesg_restrict
  2011-03-14 19:35 [PATCH] Restrict write access to dmesg_restrict Richard Weinberger
@ 2011-03-14 19:49 ` Dan Rosenberg
  2011-03-14 20:02   ` Richard Weinberger
  2011-03-15 13:46 ` WANG Cong
  1 sibling, 1 reply; 4+ messages in thread
From: Dan Rosenberg @ 2011-03-14 19:49 UTC (permalink / raw)
  To: Richard Weinberger
  Cc: akpm, mingo, davem, dzickus, randy.dunlap, linux-kernel

On Mon, 2011-03-14 at 20:35 +0100, Richard Weinberger wrote:
> When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed
> to read the kernel ring buffer.
> But a root user without CAP_SYS_ADMIN is able to reset
> dmesg_restrict to 0.

A minor correction, CAP_SYSLOG is needed to read the kernel syslog.  But
I think requiring CAP_SYS_ADMIN is appropriate to modify the value of
the sysctl, so assuming the commit message reflects this:

Acked-by: Dan Rosenberg <drosenberg@vsecurity.com>

> 
> This is an issue when e.g. LXC (Linux Containers) are used
> and complete user space is running without CAP_SYS_ADMIN.
> A unprivileged and jailed root user can bypass the
> dmesg_restrict protection.
> 
> With this patch writing to dmesg_restrict is only allowed
> when root has CAP_SYS_ADMIN.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
>  kernel/sysctl.c |   18 +++++++++++++++++-
>  1 files changed, 17 insertions(+), 1 deletions(-)
> 
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 4eed0af..f90c8f6 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *table, int write,
>  			       void __user *buffer, size_t *lenp, loff_t *ppos);
>  #endif
>  
> +#ifdef CONFIG_PRINTK
> +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> +				void __user *buffer, size_t *lenp, loff_t *ppos);
> +#endif
> +
>  #ifdef CONFIG_MAGIC_SYSRQ
>  /* Note: sysrq code uses it's own private copy */
>  static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
> @@ -704,7 +709,7 @@ static struct ctl_table kern_table[] = {
>  		.data		= &dmesg_restrict,
>  		.maxlen		= sizeof(int),
>  		.mode		= 0644,
> -		.proc_handler	= proc_dointvec_minmax,
> +		.proc_handler	= proc_dmesg_restrict,
>  		.extra1		= &zero,
>  		.extra2		= &one,
>  	},
> @@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *table, int write,
>  	return err;
>  }
>  
> +#ifdef CONFIG_PRINTK
> +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> +				void __user *buffer, size_t *lenp, loff_t *ppos)
> +{
> +	if (write && !capable(CAP_SYS_ADMIN))
> +		return -EPERM;
> +
> +	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> +}
> +#endif
> +
>  struct do_proc_dointvec_minmax_conv_param {
>  	int *min;
>  	int *max;
> -- 
> 1.6.6.1



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Restrict write access to dmesg_restrict
  2011-03-14 19:49 ` Dan Rosenberg
@ 2011-03-14 20:02   ` Richard Weinberger
  0 siblings, 0 replies; 4+ messages in thread
From: Richard Weinberger @ 2011-03-14 20:02 UTC (permalink / raw)
  To: Dan Rosenberg; +Cc: akpm, mingo, davem, dzickus, randy.dunlap, linux-kernel

Am Montag 14 März 2011, 20:49:55 schrieb Dan Rosenberg:
> On Mon, 2011-03-14 at 20:35 +0100, Richard Weinberger wrote:
> > When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed
> > to read the kernel ring buffer.
> > But a root user without CAP_SYS_ADMIN is able to reset
> > dmesg_restrict to 0.
> 
> A minor correction, CAP_SYSLOG is needed to read the kernel syslog.  But
> I think requiring CAP_SYS_ADMIN is appropriate to modify the value of
> the sysctl, so assuming the commit message reflects this:

Thanks for the info!
I did not notice commit ce6ada3 (security: Define CAP_SYSLOG).
But as you said, writing to dmesg_restrict should still require CAP_SYS_ADMIN.

> Acked-by: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> > This is an issue when e.g. LXC (Linux Containers) are used
> > and complete user space is running without CAP_SYS_ADMIN.
> > A unprivileged and jailed root user can bypass the
> > dmesg_restrict protection.
> > 
> > With this patch writing to dmesg_restrict is only allowed
> > when root has CAP_SYS_ADMIN.
> > 
> > Signed-off-by: Richard Weinberger <richard@nod.at>
> > ---
> > 
> >  kernel/sysctl.c |   18 +++++++++++++++++-
> >  1 files changed, 17 insertions(+), 1 deletions(-)
> > 
> > diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> > index 4eed0af..f90c8f6 100644
> > --- a/kernel/sysctl.c
> > +++ b/kernel/sysctl.c
> > @@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *table, int
> > write,
> > 
> >  			       void __user *buffer, size_t *lenp, loff_t *ppos);
> >  
> >  #endif
> > 
> > +#ifdef CONFIG_PRINTK
> > +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> > +				void __user *buffer, size_t *lenp, loff_t *ppos);
> > +#endif
> > +
> > 
> >  #ifdef CONFIG_MAGIC_SYSRQ
> >  /* Note: sysrq code uses it's own private copy */
> >  static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
> > 
> > @@ -704,7 +709,7 @@ static struct ctl_table kern_table[] = {
> > 
> >  		.data		= &dmesg_restrict,
> >  		.maxlen		= sizeof(int),
> >  		.mode		= 0644,
> > 
> > -		.proc_handler	= proc_dointvec_minmax,
> > +		.proc_handler	= proc_dmesg_restrict,
> > 
> >  		.extra1		= &zero,
> >  		.extra2		= &one,
> >  	
> >  	},
> > 
> > @@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *table, int
> > write,
> > 
> >  	return err;
> >  
> >  }
> > 
> > +#ifdef CONFIG_PRINTK
> > +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> > +				void __user *buffer, size_t *lenp, loff_t *ppos)
> > +{
> > +	if (write && !capable(CAP_SYS_ADMIN))
> > +		return -EPERM;
> > +
> > +	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> > +}
> > +#endif
> > +
> > 
> >  struct do_proc_dointvec_minmax_conv_param {
> >  
> >  	int *min;
> >  	int *max;


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Restrict write access to dmesg_restrict
  2011-03-14 19:35 [PATCH] Restrict write access to dmesg_restrict Richard Weinberger
  2011-03-14 19:49 ` Dan Rosenberg
@ 2011-03-15 13:46 ` WANG Cong
  1 sibling, 0 replies; 4+ messages in thread
From: WANG Cong @ 2011-03-15 13:46 UTC (permalink / raw)
  To: linux-kernel

On Mon, 14 Mar 2011 20:35:56 +0100, Richard Weinberger wrote:

> When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the
> kernel ring buffer.
> But a root user without CAP_SYS_ADMIN is able to reset dmesg_restrict to
> 0.
> 
> This is an issue when e.g. LXC (Linux Containers) are used and complete
> user space is running without CAP_SYS_ADMIN. A unprivileged and jailed
> root user can bypass the dmesg_restrict protection.
> 
> With this patch writing to dmesg_restrict is only allowed when root has
> CAP_SYS_ADMIN.
> 
> Signed-off-by: Richard Weinberger <richard@nod.at>

Makes sense.

Reviewed-by: WANG Cong <xiyou.wangcong@gmail.com>

Thanks.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-03-15 13:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-14 19:35 [PATCH] Restrict write access to dmesg_restrict Richard Weinberger
2011-03-14 19:49 ` Dan Rosenberg
2011-03-14 20:02   ` Richard Weinberger
2011-03-15 13:46 ` WANG Cong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox