Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg

* Zack Weinberg ([email protected]) wrote:
> Presently, the security checks for syslog(2) apply also to access to
> /proc/kmsg, because /proc/kmsg's file_operations functions just call
> do_syslog, and the call to security_syslog is in do_syslog, not
> sys_syslog.  [The only callers of do_syslog are sys_syslog and
> kmsg_{read,poll,open,release}.]  This has the effect, with the default
> security policy, that no matter what the file permissions on
> /proc/kmsg are, only a process with CAP_SYS_ADMIN can actually open or
> read it.  [Yes, if you open /proc/kmsg as root and then drop
> privileges, subsequent reads on that fd fail.]  In consequence, if one
> wishes to run klogd as an unprivileged user, one is forced to jump
> through awkward hoops - for example, Ubuntu's /etc/init.d/klogd
> interposes a root-privileged "dd" process and a named pipe between
> /proc/kmsg and the actual klogd.

The act of reading from /proc/kmsg alters the state of the ring buffer.
This is not the same as smth like dmesg, which simply dumps the messages.
That's why only getting current size and dumping are treated as
less-privileged.

> I propose to move the security_syslog() check from do_syslog to
> sys_syslog, so that the syscall remains restricted to CAP_SYS_ADMIN in
> the default policy, but /proc/kmsg is governed by its file
> permissions.  With the attached patch, I can run klogd as an
> unprivileged user, having changed the ownership of /proc/kmsg to that
> user before starting it, and it still works.  Equally, I can leave the
> ownership alone but modify klogd to get messages from stdin, start it
> with stdin open on /proc/kmsg (again unprivileged) and it works.
> 
> I think this is safe in the default security policy - /proc/kmsg
> starts out owned by root and mode 400 - but I am not sure of the
> impact on SELinux or other alternate policy frameworks.

SELinux doesn't distinguish the entrypoint to the ringbuffer,
so this patch would break its current behaviour.

thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Sergey Vlasov <[email protected]>

• References:
  • RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: "Zack Weinberg" <[email protected]>

• Prev by Date: [PATCH 7/33] usb: pvrusb2-hdw free unlink urb cleanup
• Next by Date: Re: [PATCH 0/14] KVM: Kernel-based Virtual Machine (v4)
• Previous by thread: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
• Next by thread: Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]