When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed
to read the kernel ring buffer.
But a root user without CAP_SYS_ADMIN is able to reset
dmesg_restrict to 0.
This is an issue when e.g. LXC (Linux Containers) are used
and complete user space is running without CAP_SYS_ADMIN.
A unprivileged and jailed root user can bypass the
dmesg_restrict protection.
With this patch writing to dmesg_restrict is only allowed
when root has CAP_SYS_ADMIN.
Signed-off-by: Richard Weinberger <[email protected]>
---
kernel/sysctl.c | 18 +++++++++++++++++-
1 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 4eed0af..f90c8f6 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos);
#endif
+#ifdef CONFIG_PRINTK
+static int proc_dmesg_restrict(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
+#endif
+
#ifdef CONFIG_MAGIC_SYSRQ
/* Note: sysrq code uses it's own private copy */
static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
@@ -704,7 +709,7 @@ static struct ctl_table kern_table[] = {
.data = &dmesg_restrict,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec_minmax,
+ .proc_handler = proc_dmesg_restrict,
.extra1 = &zero,
.extra2 = &one,
},
@@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *table, int write,
return err;
}
+#ifdef CONFIG_PRINTK
+static int proc_dmesg_restrict(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ if (write && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+}
+#endif
+
struct do_proc_dointvec_minmax_conv_param {
int *min;
int *max;
--
1.6.6.1
On Mon, 2011-03-14 at 20:35 +0100, Richard Weinberger wrote:
> When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed
> to read the kernel ring buffer.
> But a root user without CAP_SYS_ADMIN is able to reset
> dmesg_restrict to 0.
A minor correction, CAP_SYSLOG is needed to read the kernel syslog. But
I think requiring CAP_SYS_ADMIN is appropriate to modify the value of
the sysctl, so assuming the commit message reflects this:
Acked-by: Dan Rosenberg <[email protected]>
>
> This is an issue when e.g. LXC (Linux Containers) are used
> and complete user space is running without CAP_SYS_ADMIN.
> A unprivileged and jailed root user can bypass the
> dmesg_restrict protection.
>
> With this patch writing to dmesg_restrict is only allowed
> when root has CAP_SYS_ADMIN.
>
> Signed-off-by: Richard Weinberger <[email protected]>
> ---
> kernel/sysctl.c | 18 +++++++++++++++++-
> 1 files changed, 17 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 4eed0af..f90c8f6 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *table, int write,
> void __user *buffer, size_t *lenp, loff_t *ppos);
> #endif
>
> +#ifdef CONFIG_PRINTK
> +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp, loff_t *ppos);
> +#endif
> +
> #ifdef CONFIG_MAGIC_SYSRQ
> /* Note: sysrq code uses it's own private copy */
> static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
> @@ -704,7 +709,7 @@ static struct ctl_table kern_table[] = {
> .data = &dmesg_restrict,
> .maxlen = sizeof(int),
> .mode = 0644,
> - .proc_handler = proc_dointvec_minmax,
> + .proc_handler = proc_dmesg_restrict,
> .extra1 = &zero,
> .extra2 = &one,
> },
> @@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *table, int write,
> return err;
> }
>
> +#ifdef CONFIG_PRINTK
> +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp, loff_t *ppos)
> +{
> + if (write && !capable(CAP_SYS_ADMIN))
> + return -EPERM;
> +
> + return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> +}
> +#endif
> +
> struct do_proc_dointvec_minmax_conv_param {
> int *min;
> int *max;
> --
> 1.6.6.1
Am Montag 14 März 2011, 20:49:55 schrieb Dan Rosenberg:
> On Mon, 2011-03-14 at 20:35 +0100, Richard Weinberger wrote:
> > When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed
> > to read the kernel ring buffer.
> > But a root user without CAP_SYS_ADMIN is able to reset
> > dmesg_restrict to 0.
>
> A minor correction, CAP_SYSLOG is needed to read the kernel syslog. But
> I think requiring CAP_SYS_ADMIN is appropriate to modify the value of
> the sysctl, so assuming the commit message reflects this:
Thanks for the info!
I did not notice commit ce6ada3 (security: Define CAP_SYSLOG).
But as you said, writing to dmesg_restrict should still require CAP_SYS_ADMIN.
> Acked-by: Dan Rosenberg <[email protected]>
>
> > This is an issue when e.g. LXC (Linux Containers) are used
> > and complete user space is running without CAP_SYS_ADMIN.
> > A unprivileged and jailed root user can bypass the
> > dmesg_restrict protection.
> >
> > With this patch writing to dmesg_restrict is only allowed
> > when root has CAP_SYS_ADMIN.
> >
> > Signed-off-by: Richard Weinberger <[email protected]>
> > ---
> >
> > kernel/sysctl.c | 18 +++++++++++++++++-
> > 1 files changed, 17 insertions(+), 1 deletions(-)
> >
> > diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> > index 4eed0af..f90c8f6 100644
> > --- a/kernel/sysctl.c
> > +++ b/kernel/sysctl.c
> > @@ -169,6 +169,11 @@ static int proc_taint(struct ctl_table *table, int
> > write,
> >
> > void __user *buffer, size_t *lenp, loff_t *ppos);
> >
> > #endif
> >
> > +#ifdef CONFIG_PRINTK
> > +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> > + void __user *buffer, size_t *lenp, loff_t *ppos);
> > +#endif
> > +
> >
> > #ifdef CONFIG_MAGIC_SYSRQ
> > /* Note: sysrq code uses it's own private copy */
> > static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
> >
> > @@ -704,7 +709,7 @@ static struct ctl_table kern_table[] = {
> >
> > .data = &dmesg_restrict,
> > .maxlen = sizeof(int),
> > .mode = 0644,
> >
> > - .proc_handler = proc_dointvec_minmax,
> > + .proc_handler = proc_dmesg_restrict,
> >
> > .extra1 = &zero,
> > .extra2 = &one,
> >
> > },
> >
> > @@ -2397,6 +2402,17 @@ static int proc_taint(struct ctl_table *table, int
> > write,
> >
> > return err;
> >
> > }
> >
> > +#ifdef CONFIG_PRINTK
> > +static int proc_dmesg_restrict(struct ctl_table *table, int write,
> > + void __user *buffer, size_t *lenp, loff_t *ppos)
> > +{
> > + if (write && !capable(CAP_SYS_ADMIN))
> > + return -EPERM;
> > +
> > + return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> > +}
> > +#endif
> > +
> >
> > struct do_proc_dointvec_minmax_conv_param {
> >
> > int *min;
> > int *max;
On Mon, 14 Mar 2011 20:35:56 +0100, Richard Weinberger wrote:
> When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the
> kernel ring buffer.
> But a root user without CAP_SYS_ADMIN is able to reset dmesg_restrict to
> 0.
>
> This is an issue when e.g. LXC (Linux Containers) are used and complete
> user space is running without CAP_SYS_ADMIN. A unprivileged and jailed
> root user can bypass the dmesg_restrict protection.
>
> With this patch writing to dmesg_restrict is only allowed when root has
> CAP_SYS_ADMIN.
>
> Signed-off-by: Richard Weinberger <[email protected]>
Makes sense.
Reviewed-by: WANG Cong <[email protected]>
Thanks.