RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg

Presently, the security checks for syslog(2) apply also to access to
/proc/kmsg, because /proc/kmsg's file_operations functions just call
do_syslog, and the call to security_syslog is in do_syslog, not
sys_syslog.  [The only callers of do_syslog are sys_syslog and
kmsg_{read,poll,open,release}.]  This has the effect, with the default
security policy, that no matter what the file permissions on
/proc/kmsg are, only a process with CAP_SYS_ADMIN can actually open or
read it.  [Yes, if you open /proc/kmsg as root and then drop
privileges, subsequent reads on that fd fail.]  In consequence, if one
wishes to run klogd as an unprivileged user, one is forced to jump
through awkward hoops - for example, Ubuntu's /etc/init.d/klogd
interposes a root-privileged "dd" process and a named pipe between
/proc/kmsg and the actual klogd.

I propose to move the security_syslog() check from do_syslog to
sys_syslog, so that the syscall remains restricted to CAP_SYS_ADMIN in
the default policy, but /proc/kmsg is governed by its file
permissions.  With the attached patch, I can run klogd as an
unprivileged user, having changed the ownership of /proc/kmsg to that
user before starting it, and it still works.  Equally, I can leave the
ownership alone but modify klogd to get messages from stdin, start it
with stdin open on /proc/kmsg (again unprivileged) and it works.

I think this is safe in the default security policy - /proc/kmsg
starts out owned by root and mode 400 - but I am not sure of the
impact on SELinux or other alternate policy frameworks.

Patch versus 2.6.19-rc4; please consider for the next release.

zw

Signed-off-by: Zack Weinberg <[email protected]>

--- kernel/printk.c.unmod	2006-11-06 15:00:44.000000000 -0800
+++ kernel/printk.c	2006-11-06 15:01:51.000000000 -0800
@@ -187,10 +187,6 @@ int do_syslog(int type, char __user *buf
	char c;
	int error = 0;

-	error = security_syslog(type);
-	if (error)
-		return error;
-
	switch (type) {
	case 0:		/* Close log */
		break;
@@ -317,6 +313,10 @@ out:

asmlinkage long sys_syslog(int type, char __user *buf, int len)
{
+	int error = security_syslog(type);
+	if (error)
+		return error;
+
	return do_syslog(type, buf, len);
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Chris Wright <[email protected]>

• Prev by Date: Re: [ckrm-tech] [RFC] Resource Management - Infrastructure choices
• Next by Date: Re: [ckrm-tech] [RFC] Resource Management - Infrastructure choices
• Previous by thread: Linux 2.6.19-rc5
• Next by thread: Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]