diff options
| author | Kees Cook <keescook@chromium.org> | 2013-06-12 17:04:39 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-06-12 19:29:44 -0400 |
| commit | 637241a900cbd982f744d44646b48a273d609b34 (patch) | |
| tree | 0c8e84af9e6a37bd61f9fc9b7a668472df53df46 /kernel | |
| parent | cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db (diff) | |
kmsg: honor dmesg_restrict sysctl on /dev/kmsg
The dmesg_restrict sysctl currently covers the syslog method for access
dmesg, however /dev/kmsg isn't covered by the same protections. Most
people haven't noticed because util-linux dmesg(1) defaults to using the
syslog method for access in older versions. With util-linux dmesg(1)
defaults to reading directly from /dev/kmsg.
To fix /dev/kmsg, let's compare the existing interfaces and what they
allow:
- /proc/kmsg allows:
- open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive
single-reader interface (SYSLOG_ACTION_READ).
- everything, after an open.
- syslog syscall allows:
- anything, if CAP_SYSLOG.
- SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if
dmesg_restrict==0.
- nothing else (EPERM).
The use-cases were:
- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs.
- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the
destructive SYSLOG_ACTION_READs.
AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't
clear the ring buffer.
Based on the comments in devkmsg_llseek, it sounds like actions besides
reading aren't going to be supported by /dev/kmsg (i.e.
SYSLOG_ACTION_CLEAR), so we have a strict subset of the non-destructive
syslog syscall actions.
To this end, move the check as Josh had done, but also rename the
constants to reflect their new uses (SYSLOG_FROM_CALL becomes
SYSLOG_FROM_READER, and SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC).
SYSLOG_FROM_READER allows non-destructive actions, and SYSLOG_FROM_PROC
allows destructive actions after a capabilities-constrained
SYSLOG_ACTION_OPEN check.
- /dev/kmsg allows:
- open if CAP_SYSLOG or dmesg_restrict==0
- reading/polling, after open
Addresses https://bugzilla.redhat.com/show_bug.cgi?id=903192
[akpm@linux-foundation.org: use pr_warn_once()]
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Christian Kujau <lists@nerdbynature.de>
Tested-by: Josh Boyer <jwboyer@redhat.com>
Cc: Kay Sievers <kay@vrfy.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/printk.c | 91 |
1 files changed, 50 insertions, 41 deletions
diff --git a/kernel/printk.c b/kernel/printk.c index fa36e1494420..8212c1aef125 100644 --- a/kernel/printk.c +++ b/kernel/printk.c | |||
| @@ -363,6 +363,53 @@ static void log_store(int facility, int level, | |||
| 363 | log_next_seq++; | 363 | log_next_seq++; |
| 364 | } | 364 | } |
| 365 | 365 | ||
| 366 | #ifdef CONFIG_SECURITY_DMESG_RESTRICT | ||
| 367 | int dmesg_restrict = 1; | ||
| 368 | #else | ||
| 369 | int dmesg_restrict; | ||
| 370 | #endif | ||
| 371 | |||
| 372 | static int syslog_action_restricted(int type) | ||
| 373 | { | ||
| 374 | if (dmesg_restrict) | ||
| 375 | return 1; | ||
| 376 | /* | ||
| 377 | * Unless restricted, we allow "read all" and "get buffer size" | ||
| 378 | * for everybody. | ||
| 379 | */ | ||
| 380 | return type != SYSLOG_ACTION_READ_ALL && | ||
| 381 | type != SYSLOG_ACTION_SIZE_BUFFER; | ||
| 382 | } | ||
| 383 | |||
| 384 | static int check_syslog_permissions(int type, bool from_file) | ||
| 385 | { | ||
| 386 | /* | ||
| 387 | * If this is from /proc/kmsg and we've already opened it, then we've | ||
| 388 | * already done the capabilities checks at open time. | ||
| 389 | */ | ||
| 390 | if (from_file && type != SYSLOG_ACTION_OPEN) | ||
| 391 | return 0; | ||
| 392 | |||
| 393 | if (syslog_action_restricted(type)) { | ||
| 394 | if (capable(CAP_SYSLOG)) | ||
| 395 | return 0; | ||
| 396 | /* | ||
| 397 | * For historical reasons, accept CAP_SYS_ADMIN too, with | ||
| 398 | * a warning. | ||
| 399 | */ | ||
| 400 | if (capable(CAP_SYS_ADMIN)) { | ||
| 401 | pr_warn_once("%s (%d): Attempt to access syslog with " | ||
| 402 | "CAP_SYS_ADMIN but no CAP_SYSLOG " | ||
| 403 | "(deprecated).\n", | ||
| 404 | current->comm, task_pid_nr(current)); | ||
| 405 | return 0; | ||
| 406 | } | ||
| 407 | return -EPERM; | ||
| 408 | } | ||
| 409 | return security_syslog(type); | ||
| 410 | } | ||
| 411 | |||
| 412 | |||
| 366 | /* /dev/kmsg - userspace message inject/listen interface */ | 413 | /* /dev/kmsg - userspace message inject/listen interface */ |
| 367 | struct devkmsg_user { | 414 | struct devkmsg_user { |
| 368 | u64 seq; | 415 | u64 seq; |
| @@ -620,7 +667,8 @@ static int devkmsg_open(struct inode *inode, struct file *file) | |||
| 620 | if ((file->f_flags & O_ACCMODE) == O_WRONLY) | 667 | if ((file->f_flags & O_ACCMODE) == O_WRONLY) |
| 621 | return 0; | 668 | return 0; |
| 622 | 669 | ||
| 623 | err = security_syslog(SYSLOG_ACTION_READ_ALL); | 670 | err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL, |
| 671 | SYSLOG_FROM_READER); | ||
| 624 | if (err) | 672 | if (err) |
| 625 | return err; | 673 | return err; |
| 626 | 674 | ||
| @@ -813,45 +861,6 @@ static inline void boot_delay_msec(int level) | |||
| 813 | } | 861 | } |
| 814 | #endif | 862 | #endif |
| 815 | 863 | ||
| 816 | #ifdef CONFIG_SECURITY_DMESG_RESTRICT | ||
| 817 | int dmesg_restrict = 1; | ||
| 818 | #else | ||
| 819 | int dmesg_restrict; | ||
| 820 | #endif | ||
| 821 | |||
| 822 | static int syslog_action_restricted(int type) | ||
| 823 | { | ||
| 824 | if (dmesg_restrict) | ||
| 825 | return 1; | ||
| 826 | /* Unless restricted, we allow "read all" and "get buffer size" for everybody */ | ||
| 827 | return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER; | ||
| 828 | } | ||
| 829 | |||
| 830 | static int check_syslog_permissions(int type, bool from_file) | ||
| 831 | { | ||
| 832 | /* | ||
| 833 | * If this is from /proc/kmsg and we've already opened it, then we've | ||
| 834 | * already done the capabilities checks at open time. | ||
| 835 | */ | ||
| 836 | if (from_file && type != SYSLOG_ACTION_OPEN) | ||
| 837 | return 0; | ||
| 838 | |||
| 839 | if (syslog_action_restricted(type)) { | ||
| 840 | if (capable(CAP_SYSLOG)) | ||
| 841 | return 0; | ||
| 842 | /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */ | ||
| 843 | if (capable(CAP_SYS_ADMIN)) { | ||
| 844 | printk_once(KERN_WARNING "%s (%d): " | ||
| 845 | "Attempt to access syslog with CAP_SYS_ADMIN " | ||
| 846 | "but no CAP_SYSLOG (deprecated).\n", | ||
| 847 | current->comm, task_pid_nr(current)); | ||
| 848 | return 0; | ||
| 849 | } | ||
| 850 | return -EPERM; | ||
| 851 | } | ||
| 852 | return 0; | ||
| 853 | } | ||
| 854 | |||
| 855 | #if defined(CONFIG_PRINTK_TIME) | 864 | #if defined(CONFIG_PRINTK_TIME) |
| 856 | static bool printk_time = 1; | 865 | static bool printk_time = 1; |
| 857 | #else | 866 | #else |
| @@ -1249,7 +1258,7 @@ out: | |||
| 1249 | 1258 | ||
| 1250 | SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) | 1259 | SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) |
| 1251 | { | 1260 | { |
| 1252 | return do_syslog(type, buf, len, SYSLOG_FROM_CALL); | 1261 | return do_syslog(type, buf, len, SYSLOG_FROM_READER); |
| 1253 | } | 1262 | } |
| 1254 | 1263 | ||
| 1255 | /* | 1264 | /* |