Commit bfdc0b49 authored by Richard Weinberger's avatar Richard Weinberger Committed by Linus Torvalds
Browse files

sysctl: restrict write access to dmesg_restrict 



When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the kernel
ring buffer.  But a root user without CAP_SYS_ADMIN is able to reset
dmesg_restrict to 0.

This is an issue when e.g.  LXC (Linux Containers) are used and complete
user space is running without CAP_SYS_ADMIN.  A unprivileged and jailed
root user can bypass the dmesg_restrict protection.

With this patch writing to dmesg_restrict is only allowed when root has
CAP_SYS_ADMIN.

Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
Acked-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Acked-by: default avatarSerge E. Hallyn <serge@hallyn.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Kees Cook <kees.cook@canonical.com>
Cc: James Morris <jmorris@namei.org>
Cc: Eugene Teo <eugeneteo@kernel.org>
Cc: <stable@kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent cb16e95f

kernel/sysctl.c

+17 −1
Original line number Diff line number Diff line
@@ -170,6 +170,11 @@ static int proc_taint(struct ctl_table *table, int write, 
			       void __user *buffer, size_t *lenp, loff_t *ppos);

#endif



#ifdef CONFIG_PRINTK

static int proc_dmesg_restrict(struct ctl_table *table, int write,

				void __user *buffer, size_t *lenp, loff_t *ppos);

#endif



#ifdef CONFIG_MAGIC_SYSRQ

/* Note: sysrq code uses it's own private copy */

static int __sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
@@ -707,7 +712,7 @@ static struct ctl_table kern_table[] = { 
		.data		= &kptr_restrict,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec_minmax,

		.proc_handler	= proc_dmesg_restrict,

		.extra1		= &zero,

		.extra2		= &two,

	},
@@ -2394,6 +2399,17 @@ static int proc_taint(struct ctl_table *table, int write, 
	return err;

}



#ifdef CONFIG_PRINTK

static int proc_dmesg_restrict(struct ctl_table *table, int write,

				void __user *buffer, size_t *lenp, loff_t *ppos)

{

	if (write && !capable(CAP_SYS_ADMIN))

		return -EPERM;



	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);

}

#endif



struct do_proc_dointvec_minmax_conv_param {

	int *min;

	int *max;

CRA Git | Maintained and supported by SUSTech CRA and CCSE