[RFC PATCH 2/2] security: allow reads from an open /proc/kmsg fd by unprivileged processes

With the added check for syslog open rights in sys_syslog() it is
possible to relax restrictions on syslog access in cap_syslog() and
dummy_syslog(), so that a process could open /proc/kmsg, then drop all
privileges including CAP_SYS_ADMIN, and still be able to use the
/proc/kmsg file descriptor for reading kernel messages.

selinux_syslog() is not modified - a process which handles kernel
messages still needs to have the "syslog_mod" permission.

Signed-off-by: Sergey Vlasov <[email protected]>
---
 security/commoncap.c |   24 +++++++++++++++++++++---
 security/dummy.c     |   24 +++++++++++++++++++++---
 2 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index f50fc29..966cfce 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -311,9 +311,27 @@ void cap_task_reparent_to_init (struct t
 
 int cap_syslog (int type)
 {
-	if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
-		return -EPERM;
-	return 0;
+	switch (type) {
+	case 3:		/* Read last kernel messages */
+	case 10:	/* Size of the log buffer */
+		/* Allow dmesg for unprivileged users. */
+		return 0;
+
+	case 2:		/* Read from log */
+	case 9:		/* Number of chars in the log buffer */
+		/*
+		 * Allow read() and poll() on a /proc/kmsg file descriptor
+		 * opened by a privileged process.  This does not enable
+		 * uncontrolled access through the syslog system call, because
+		 * sys_syslog() additionally checks the syslog open permission.
+		 */
+		return 0;
+
+	default:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
+		return 0;
+	}
 }
 
 int cap_vm_enough_memory(long pages)
diff --git a/security/dummy.c b/security/dummy.c
index 58c6d39..3da65fe 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -96,9 +96,27 @@ static int dummy_quota_on (struct dentry
 
 static int dummy_syslog (int type)
 {
-	if ((type != 3 && type != 10) && current->euid)
-		return -EPERM;
-	return 0;
+	switch (type) {
+	case 3:		/* Read last kernel messages */
+	case 10:	/* Size of the log buffer */
+		/* Allow dmesg for unprivileged users. */
+		return 0;
+
+	case 2:		/* Read from log */
+	case 9:		/* Number of chars in the log buffer */
+		/*
+		 * Allow read() and poll() on a /proc/kmsg file descriptor
+		 * opened by a privileged process.  This does not enable
+		 * uncontrolled access through the syslog system call, because
+		 * sys_syslog() additionally checks the syslog open permission.
+		 */
+		return 0;
+
+	default:
+		if (current->euid)
+			return -EPERM;
+		return 0;
+	}
 }
 
 static int dummy_settime(struct timespec *ts, struct timezone *tz)
-- 
1.4.3.3.gddcc6

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
  - From: Sergey Vlasov <[email protected]>
- [RFC PATCH 1/2] sys_syslog: check open permission for reading and getting unread count
  - From: Sergey Vlasov <[email protected]>

Prev by Date: Re: + i386-apic-cleanup.patch added to -mm tree
Next by Date: Re: Avoid allocating during interleave from almost full nodes
Previous by thread: [RFC PATCH 1/2] sys_syslog: check open permission for reading and getting unread count
Next by thread: Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]