1 files changed, 18 insertions, 7 deletions
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 4273b2d71a27..26b7ee491df8 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -290,13 +290,24 @@ Default value is "/sbin/hotplug".
 kptr_restrict:
 This toggle indicates whether restrictions are placed on
-exposing kernel addresses via /proc and other interfaces.  When
+exposing kernel addresses via /proc and other interfaces.
-kptr_restrict is set to (0), there are no restrictions.  When
-kptr_restrict is set to (1), the default, kernel pointers
+When kptr_restrict is set to (0), the default, there are no restrictions.
-printed using the %pK format specifier will be replaced with 0's
-unless the user has CAP_SYSLOG.  When kptr_restrict is set to
+When kptr_restrict is set to (1), kernel pointers printed using the %pK
-(2), kernel pointers printed using %pK will be replaced with 0's
+format specifier will be replaced with 0's unless the user has CAP_SYSLOG
-regardless of privileges.
+and effective user and group ids are equal to the real ids. This is
+because %pK checks are done at read() time rather than open() time, so
+if permissions are elevated between the open() and the read() (e.g via
+a setuid binary) then %pK will not leak kernel pointers to unprivileged
+users. Note, this is a temporary solution only. The correct long-term
+solution is to do the permission checks at open() time. Consider removing
+world read permissions from files that use %pK, and using dmesg_restrict
+to protect against uses of %pK in dmesg(8) if leaking kernel pointer
+values to unprivileged users is a concern.
+When kptr_restrict is set to (2), kernel pointers printed using
+%pK will be replaced with 0's regardless of privileges.
 ==============================================================

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 4273b2d71a27..26b7ee491df8 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt
@@ -290,13 +290,24 @@ Default value is "/sbin/hotplug".
290	kptr_restrict:	290	kptr_restrict:
291		291
292	This toggle indicates whether restrictions are placed on	292	This toggle indicates whether restrictions are placed on
293	exposing kernel addresses via /proc and other interfaces. When	293	exposing kernel addresses via /proc and other interfaces.
294	kptr_restrict is set to (0), there are no restrictions. When	294
295	kptr_restrict is set to (1), the default, kernel pointers	295	When kptr_restrict is set to (0), the default, there are no restrictions.
296	printed using the %pK format specifier will be replaced with 0's	296
297	unless the user has CAP_SYSLOG. When kptr_restrict is set to	297	When kptr_restrict is set to (1), kernel pointers printed using the %pK
298	(2), kernel pointers printed using %pK will be replaced with 0's	298	format specifier will be replaced with 0's unless the user has CAP_SYSLOG
299	regardless of privileges.	299	and effective user and group ids are equal to the real ids. This is
		300	because %pK checks are done at read() time rather than open() time, so
		301	if permissions are elevated between the open() and the read() (e.g via
		302	a setuid binary) then %pK will not leak kernel pointers to unprivileged
		303	users. Note, this is a temporary solution only. The correct long-term
		304	solution is to do the permission checks at open() time. Consider removing
		305	world read permissions from files that use %pK, and using dmesg_restrict
		306	to protect against uses of %pK in dmesg(8) if leaking kernel pointer
		307	values to unprivileged users is a concern.
		308
		309	When kptr_restrict is set to (2), kernel pointers printed using
		310	%pK will be replaced with 0's regardless of privileges.
300		311
301	==============================================================	312	==============================================================
302		313