Re: [PATCH] sysctl: fix write access to dmesg_restrict/kptr_restrict

From: Kees Cook
Date: Wed Apr 04 2012 - 17:43:53 EST


[forward, with my botch of plougher's email address corrected]

On Wed, Apr 4, 2012 at 2:27 PM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
> Quoting Kees Cook (keescook@xxxxxxxxxxxx):
>> Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
>> however, it incorrectly alters kptr_restrict rather than
>> dmesg_restrict.
>>
>> The original patch from Richard Weinberger
>> (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
>> expected, and so the patch seems to have been misapplied.
>>
>> This adds the CAP_SYS_ADMIN check to both dmesg_restrict and
>> kptr_restrict, since both are sensitive.
>>
>> Reported-by: Phillip Lougher <plougher@xxxxxxxxxx>
>> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>
> Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
>
>> Cc: stable@xxxxxxxxxxxxxxx
>> ---
>>  kernel/sysctl.c |    8 ++++----
>>  1 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
>> index 52b3a06..4ab1187 100644
>> --- a/kernel/sysctl.c
>> +++ b/kernel/sysctl.c
>> @@ -170,7 +170,7 @@ static int proc_taint(struct ctl_table *table, int write,
>>  #endif
>>
>>  #ifdef CONFIG_PRINTK
>> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
>> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>>                               void __user *buffer, size_t *lenp, loff_t *ppos);
>>  #endif
>>
>> @@ -703,7 +703,7 @@ static struct ctl_table kern_table[] = {
>>               .data           = &dmesg_restrict,
>>               .maxlen         = sizeof(int),
>>               .mode           = 0644,
>> -             .proc_handler   = proc_dointvec_minmax,
>> +             .proc_handler   = proc_dointvec_minmax_sysadmin,
>>               .extra1         = &zero,
>>               .extra2         = &one,
>>       },
>> @@ -712,7 +712,7 @@ static struct ctl_table kern_table[] = {
>>               .data           = &kptr_restrict,
>>               .maxlen         = sizeof(int),
>>               .mode           = 0644,
>> -             .proc_handler   = proc_dmesg_restrict,
>> +             .proc_handler   = proc_dointvec_minmax_sysadmin,
>>               .extra1         = &zero,
>>               .extra2         = &two,
>>       },
>> @@ -1943,7 +1943,7 @@ static int proc_taint(struct ctl_table *table, int write,
>>  }
>>
>>  #ifdef CONFIG_PRINTK
>> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
>> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>>                               void __user *buffer, size_t *lenp, loff_t *ppos)
>>  {
>>       if (write && !capable(CAP_SYS_ADMIN))
>> --
>> 1.7.0.4
>>
>> --
>> Kees Cook
>> Chrome OS Security



--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/