[PATCH] sysctl: fix restrict write access to dmesg_restrict

[PATCH] sysctl: fix restrict write access to dmesg_restrict

[Phillip Lougher]

Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
however, it incorrectly alters kptr_restrict rather than
dmesg_restrict.

The original patch from Richard Weinberger
(https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
expected, and so the patch seems to have been misapplied.

Signed-off-by: Phillip Lougher <plougher@redhat.com>
---
 kernel/sysctl.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index f487f25..72a5302 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -713,7 +713,7 @@ static struct ctl_table kern_table[] = {
 		.data		= &dmesg_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec_minmax,
+		.proc_handler	= proc_dmesg_restrict,
 		.extra1		= &zero,
 		.extra2		= &one,
 	},
@@ -722,7 +722,7 @@ static struct ctl_table kern_table[] = {
 		.data		= &kptr_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dmesg_restrict,
+		.proc_handler	= proc_dointvec_minmax,
 		.extra1		= &zero,
 		.extra2		= &two,
 	},
-- 
1.7.9.5

Re: [PATCH] sysctl: fix restrict write access to dmesg_restrict

[Richard Weinberger]

[-- Attachment #1: Type: text/plain, Size: 454 bytes --]

Am 31.03.2012 01:43, schrieb Phillip Lougher:
> Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
> however, it incorrectly alters kptr_restrict rather than
> dmesg_restrict.
> 
> The original patch from Richard Weinberger
> (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
> expected, and so the patch seems to have been misapplied.
> 

Hmm, indeed.
Any idea how this could happen, Andrew?

Thanks,
//richard


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [PATCH] sysctl: fix restrict write access to dmesg_restrict

[Andrew Morton]

On Sat, 31 Mar 2012 01:50:52 +0200 Richard Weinberger <richard@nod.at> wrote:

> Am 31.03.2012 01:43, schrieb Phillip Lougher:
> > Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
> > however, it incorrectly alters kptr_restrict rather than
> > dmesg_restrict.
> > 
> > The original patch from Richard Weinberger
> > (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
> > expected, and so the patch seems to have been misapplied.
> > 
> 
> Hmm, indeed.
> Any idea how this could happen, Andrew?

Presumably someone else fiddled with the file, patch(1) misapplied the
hunk and I didn't notice.

Send a fix?

Re: [PATCH] sysctl: fix restrict write access to dmesg_restrict

[Phillip Lougher]

On Sat, Mar 31, 2012 at 1:55 AM, Andrew Morton
<akpm@linux-foundation.org> wrote:
>
> Presumably someone else fiddled with the file, patch(1) misapplied the
> hunk and I didn't notice.
>

That was my guess, the repeated near identical sysfs entries is
confusing patch.  The stable kernels also suffer from this
misapplication, but the misapplication is random, for instance I
noticed here

http://www.mail-archive.com/stable@linux.kernel.org/msg07097.html

that the patch has been misapplied to suid_dumpable.  It looks like
all of the stable kernels need to be separately checked, and if
necessary different patches need to be generated.

> Send a fix?

My original email has the fix...

Phillip

Re: [PATCH] sysctl: fix restrict write access to dmesg_restrict

[Greg Kroah-Hartman]

On Sat, Mar 31, 2012 at 02:58:02AM +0100, Phillip Lougher wrote:
> On Sat, Mar 31, 2012 at 1:55 AM, Andrew Morton
> <akpm@linux-foundation.org> wrote:
> >
> > Presumably someone else fiddled with the file, patch(1) misapplied the
> > hunk and I didn't notice.
> >
> 
> That was my guess, the repeated near identical sysfs entries is
> confusing patch.  The stable kernels also suffer from this
> misapplication, but the misapplication is random, for instance I
> noticed here
> 
> http://www.mail-archive.com/stable@linux.kernel.org/msg07097.html
> 
> that the patch has been misapplied to suid_dumpable.  It looks like
> all of the stable kernels need to be separately checked, and if
> necessary different patches need to be generated.

Ok, can someone please do this and send me the patches?  I don't exactly
know what you are referring to here to be able to do it myself...

greg k-h

Re: [PATCH] sysctl: fix restrict write access to dmesg_restrict

[Kees Cook]

Actually, proc_dmesg_restrict is just a CAP_SYSADMIN-checking wrapper
around proc_dointvec_minmax. Probably both dmesg_restrict and
kptr_restrict should use it.

On Fri, Mar 30, 2012 at 4:43 PM, Phillip Lougher <plougher@redhat.com> wrote:
> Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
> however, it incorrectly alters kptr_restrict rather than
> dmesg_restrict.
>
> The original patch from Richard Weinberger
> (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
> expected, and so the patch seems to have been misapplied.
>
> Signed-off-by: Phillip Lougher <plougher@redhat.com>
> ---
>  kernel/sysctl.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index f487f25..72a5302 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -713,7 +713,7 @@ static struct ctl_table kern_table[] = {
>                .data           = &dmesg_restrict,
>                .maxlen         = sizeof(int),
>                .mode           = 0644,
> -               .proc_handler   = proc_dointvec_minmax,
> +               .proc_handler   = proc_dmesg_restrict,
>                .extra1         = &zero,
>                .extra2         = &one,
>        },
> @@ -722,7 +722,7 @@ static struct ctl_table kern_table[] = {
>                .data           = &kptr_restrict,
>                .maxlen         = sizeof(int),
>                .mode           = 0644,
> -               .proc_handler   = proc_dmesg_restrict,
> +               .proc_handler   = proc_dointvec_minmax,
>                .extra1         = &zero,
>                .extra2         = &two,
>        },
> --
> 1.7.9.5
>



-- 
Kees Cook
ChromeOS Security

Re: [PATCH] sysctl: fix restrict write access to dmesg_restrict

[Serge E. Hallyn]

Quoting Kees Cook (keescook@chromium.org):
> Actually, proc_dmesg_restrict is just a CAP_SYSADMIN-checking wrapper
> around proc_dointvec_minmax. Probably both dmesg_restrict and
> kptr_restrict should use it.

I've seen no more emails since this one.  Kees, do you want to send a
new patch?  (or has someone handled it?)

thanks,
-serge

[PATCH] sysctl: fix write access to dmesg_restrict/kptr_restrict

[Kees Cook]

Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
however, it incorrectly alters kptr_restrict rather than
dmesg_restrict.

The original patch from Richard Weinberger
(https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
expected, and so the patch seems to have been misapplied.

This adds the CAP_SYS_ADMIN check to both dmesg_restrict and
kptr_restrict, since both are sensitive.

Reported-by: Phillip Lougher <plougher@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
---
 kernel/sysctl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 52b3a06..4ab1187 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -170,7 +170,7 @@ static int proc_taint(struct ctl_table *table, int write,
 #endif
 
 #ifdef CONFIG_PRINTK
-static int proc_dmesg_restrict(struct ctl_table *table, int write,
+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp, loff_t *ppos);
 #endif
 
@@ -703,7 +703,7 @@ static struct ctl_table kern_table[] = {
 		.data		= &dmesg_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec_minmax,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
 		.extra1		= &zero,
 		.extra2		= &one,
 	},
@@ -712,7 +712,7 @@ static struct ctl_table kern_table[] = {
 		.data		= &kptr_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dmesg_restrict,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
 		.extra1		= &zero,
 		.extra2		= &two,
 	},
@@ -1943,7 +1943,7 @@ static int proc_taint(struct ctl_table *table, int write,
 }
 
 #ifdef CONFIG_PRINTK
-static int proc_dmesg_restrict(struct ctl_table *table, int write,
+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp, loff_t *ppos)
 {
 	if (write && !capable(CAP_SYS_ADMIN))
-- 
1.7.0.4

-- 
Kees Cook
Chrome OS Security

Re: [PATCH] sysctl: fix write access to dmesg_restrict/kptr_restrict

[Richard Weinberger]

On 04.04.2012 20:40, Kees Cook wrote:
> Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
> however, it incorrectly alters kptr_restrict rather than
> dmesg_restrict.
>
> The original patch from Richard Weinberger
> (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
> expected, and so the patch seems to have been misapplied.
>
> This adds the CAP_SYS_ADMIN check to both dmesg_restrict and
> kptr_restrict, since both are sensitive.
>
> Reported-by: Phillip Lougher<plougher@redhat.com>
> Signed-off-by: Kees Cook<keescook@chromium.org>
> Cc: stable@vger.kernel.org

Acked-by: Richard Weinberger <richard@nod.at>

Thanks,
//richard

Re: [PATCH] sysctl: fix write access to dmesg_restrict/kptr_restrict

[Serge E. Hallyn]

Quoting Kees Cook (keescook@chromium.org):
> Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
> however, it incorrectly alters kptr_restrict rather than
> dmesg_restrict.
> 
> The original patch from Richard Weinberger
> (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
> expected, and so the patch seems to have been misapplied.
> 
> This adds the CAP_SYS_ADMIN check to both dmesg_restrict and
> kptr_restrict, since both are sensitive.
> 
> Reported-by: Phillip Lougher <plougher@redhat.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>

> Cc: stable@vger.kernel.org
> ---
>  kernel/sysctl.c |    8 ++++----
>  1 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 52b3a06..4ab1187 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -170,7 +170,7 @@ static int proc_taint(struct ctl_table *table, int write,
>  #endif
>  
>  #ifdef CONFIG_PRINTK
> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>  				void __user *buffer, size_t *lenp, loff_t *ppos);
>  #endif
>  
> @@ -703,7 +703,7 @@ static struct ctl_table kern_table[] = {
>  		.data		= &dmesg_restrict,
>  		.maxlen		= sizeof(int),
>  		.mode		= 0644,
> -		.proc_handler	= proc_dointvec_minmax,
> +		.proc_handler	= proc_dointvec_minmax_sysadmin,
>  		.extra1		= &zero,
>  		.extra2		= &one,
>  	},
> @@ -712,7 +712,7 @@ static struct ctl_table kern_table[] = {
>  		.data		= &kptr_restrict,
>  		.maxlen		= sizeof(int),
>  		.mode		= 0644,
> -		.proc_handler	= proc_dmesg_restrict,
> +		.proc_handler	= proc_dointvec_minmax_sysadmin,
>  		.extra1		= &zero,
>  		.extra2		= &two,
>  	},
> @@ -1943,7 +1943,7 @@ static int proc_taint(struct ctl_table *table, int write,
>  }
>  
>  #ifdef CONFIG_PRINTK
> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>  				void __user *buffer, size_t *lenp, loff_t *ppos)
>  {
>  	if (write && !capable(CAP_SYS_ADMIN))
> -- 
> 1.7.0.4
> 
> -- 
> Kees Cook
> Chrome OS Security

Re: [PATCH] sysctl: fix write access to dmesg_restrict/kptr_restrict

[Kees Cook]

[forward, with my botch of plougher's email address corrected]

On Wed, Apr 4, 2012 at 2:27 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> Quoting Kees Cook (keescook@chromium.org):
>> Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
>> however, it incorrectly alters kptr_restrict rather than
>> dmesg_restrict.
>>
>> The original patch from Richard Weinberger
>> (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
>> expected, and so the patch seems to have been misapplied.
>>
>> This adds the CAP_SYS_ADMIN check to both dmesg_restrict and
>> kptr_restrict, since both are sensitive.
>>
>> Reported-by: Phillip Lougher <plougher@redhat.com>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>
> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
>
>> Cc: stable@vger.kernel.org
>> ---
>>  kernel/sysctl.c |    8 ++++----
>>  1 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
>> index 52b3a06..4ab1187 100644
>> --- a/kernel/sysctl.c
>> +++ b/kernel/sysctl.c
>> @@ -170,7 +170,7 @@ static int proc_taint(struct ctl_table *table, int write,
>>  #endif
>>
>>  #ifdef CONFIG_PRINTK
>> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
>> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>>                               void __user *buffer, size_t *lenp, loff_t *ppos);
>>  #endif
>>
>> @@ -703,7 +703,7 @@ static struct ctl_table kern_table[] = {
>>               .data           = &dmesg_restrict,
>>               .maxlen         = sizeof(int),
>>               .mode           = 0644,
>> -             .proc_handler   = proc_dointvec_minmax,
>> +             .proc_handler   = proc_dointvec_minmax_sysadmin,
>>               .extra1         = &zero,
>>               .extra2         = &one,
>>       },
>> @@ -712,7 +712,7 @@ static struct ctl_table kern_table[] = {
>>               .data           = &kptr_restrict,
>>               .maxlen         = sizeof(int),
>>               .mode           = 0644,
>> -             .proc_handler   = proc_dmesg_restrict,
>> +             .proc_handler   = proc_dointvec_minmax_sysadmin,
>>               .extra1         = &zero,
>>               .extra2         = &two,
>>       },
>> @@ -1943,7 +1943,7 @@ static int proc_taint(struct ctl_table *table, int write,
>>  }
>>
>>  #ifdef CONFIG_PRINTK
>> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
>> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>>                               void __user *buffer, size_t *lenp, loff_t *ppos)
>>  {
>>       if (write && !capable(CAP_SYS_ADMIN))
>> --
>> 1.7.0.4
>>
>> --
>> Kees Cook
>> Chrome OS Security



-- 
Kees Cook
ChromeOS Security

Re: [PATCH] sysctl: fix write access to dmesg_restrict/kptr_restrict

[James Morris]

Here it is in git pullable form for Linus:

The following changes since commit 6c216ec636f75d834461be15f83ec41a6759bd2b:
  Linus Torvalds (1):
        Merge tag 'for_linus-3.4-rc2' of git://git.kernel.org/.../jwessel/kgdb

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git for-linus

Kees Cook (1):
      sysctl: fix write access to dmesg_restrict/kptr_restrict

 kernel/sysctl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 620f6e8e855d6d447688a5f67a4e176944a084e8
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Apr 4 11:40:19 2012 -0700

    sysctl: fix write access to dmesg_restrict/kptr_restrict
    
    Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
    however, it incorrectly alters kptr_restrict rather than
    dmesg_restrict.
    
    The original patch from Richard Weinberger
    (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
    expected, and so the patch seems to have been misapplied.
    
    This adds the CAP_SYS_ADMIN check to both dmesg_restrict and
    kptr_restrict, since both are sensitive.
    
    Reported-by: Phillip Lougher <plougher@redhat.com>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Acked-by: Richard Weinberger <richard@nod.at>
    Cc: stable@vger.kernel.org
    Signed-off-by: James Morris <james.l.morris@oracle.com>

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 52b3a06..4ab1187 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -170,7 +170,7 @@ static int proc_taint(struct ctl_table *table, int write,
 #endif
 
 #ifdef CONFIG_PRINTK
-static int proc_dmesg_restrict(struct ctl_table *table, int write,
+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp, loff_t *ppos);
 #endif
 
@@ -703,7 +703,7 @@ static struct ctl_table kern_table[] = {
 		.data		= &dmesg_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec_minmax,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
 		.extra1		= &zero,
 		.extra2		= &one,
 	},
@@ -712,7 +712,7 @@ static struct ctl_table kern_table[] = {
 		.data		= &kptr_restrict,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dmesg_restrict,
+		.proc_handler	= proc_dointvec_minmax_sysadmin,
 		.extra1		= &zero,
 		.extra2		= &two,
 	},
@@ -1943,7 +1943,7 @@ static int proc_taint(struct ctl_table *table, int write,
 }
 
 #ifdef CONFIG_PRINTK
-static int proc_dmesg_restrict(struct ctl_table *table, int write,
+static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp, loff_t *ppos)
 {
 	if (write && !capable(CAP_SYS_ADMIN))