Re: [PATCH] sysctl: fix write access to dmesg_restrict/kptr_restrict
From: Kees Cook
Date: Wed Apr 04 2012 - 17:43:53 EST
[forward, with my botch of plougher's email address corrected]
On Wed, Apr 4, 2012 at 2:27 PM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
> Quoting Kees Cook (keescook@xxxxxxxxxxxx):
>> Commit bfdc0b4 adds code to restrict access to dmesg_restrict,
>> however, it incorrectly alters kptr_restrict rather than
>> dmesg_restrict.
>>
>> The original patch from Richard Weinberger
>> (https://lkml.org/lkml/2011/3/14/362) alters dmesg_restrict as
>> expected, and so the patch seems to have been misapplied.
>>
>> This adds the CAP_SYS_ADMIN check to both dmesg_restrict and
>> kptr_restrict, since both are sensitive.
>>
>> Reported-by: Phillip Lougher <plougher@xxxxxxxxxx>
>> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>
> Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
>
>> Cc: stable@xxxxxxxxxxxxxxx
>> ---
>> kernel/sysctl.c | 8 ++++----
>> 1 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
>> index 52b3a06..4ab1187 100644
>> --- a/kernel/sysctl.c
>> +++ b/kernel/sysctl.c
>> @@ -170,7 +170,7 @@ static int proc_taint(struct ctl_table *table, int write,
>> #endif
>>
>> #ifdef CONFIG_PRINTK
>> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
>> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>> void __user *buffer, size_t *lenp, loff_t *ppos);
>> #endif
>>
>> @@ -703,7 +703,7 @@ static struct ctl_table kern_table[] = {
>> .data = &dmesg_restrict,
>> .maxlen = sizeof(int),
>> .mode = 0644,
>> - .proc_handler = proc_dointvec_minmax,
>> + .proc_handler = proc_dointvec_minmax_sysadmin,
>> .extra1 = &zero,
>> .extra2 = &one,
>> },
>> @@ -712,7 +712,7 @@ static struct ctl_table kern_table[] = {
>> .data = &kptr_restrict,
>> .maxlen = sizeof(int),
>> .mode = 0644,
>> - .proc_handler = proc_dmesg_restrict,
>> + .proc_handler = proc_dointvec_minmax_sysadmin,
>> .extra1 = &zero,
>> .extra2 = &two,
>> },
>> @@ -1943,7 +1943,7 @@ static int proc_taint(struct ctl_table *table, int write,
>> }
>>
>> #ifdef CONFIG_PRINTK
>> -static int proc_dmesg_restrict(struct ctl_table *table, int write,
>> +static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
>> void __user *buffer, size_t *lenp, loff_t *ppos)
>> {
>> if (write && !capable(CAP_SYS_ADMIN))
>> --
>> 1.7.0.4
>>
>> --
>> Kees Cook
>> Chrome OS Security
--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/