Hi, I'm not sure who should carry this tree (me? Greg? akpm? Linus?), but it fixes a kernel address exposure bug reported by Dominik Czarnota, where /sys/modules/*/sections/* contents were visible to uid-0 without CAP_SYSLOG (e.g. in containers): This is correct, with CAP_SYSLOG: # cat /sys/module/*/sections/.*text 0xffffffffc0458000 ... This is broken: # capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text" 0xffffffffc0458000 ... Fixing this required refactoring of several internals, and in the process uncovered other users of kallsyms_show_value() that were doing checks during "read" context instead of "open" context. This fixes all of these cases by plumbing the file->f_cred through to their ultimate checks via kallsyms_show_value()'s new cred argument. Testing, reviews, and acks appreciated. :) Thanks! -Kees Kees Cook (5): kallsyms: Refactor kallsyms_show_value() to take cred module: Refactor section attr into bin attribute module: Do not expose section addresses to non-CAP_SYSLOG kprobes: Do not expose probe addresses to non-CAP_SYSLOG bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() include/linux/filter.h | 4 +-- include/linux/kallsyms.h | 5 ++-- kernel/bpf/syscall.c | 37 +++++++++++++++------------ kernel/kallsyms.c | 17 ++++++++----- kernel/kprobes.c | 4 +-- kernel/module.c | 51 ++++++++++++++++++++------------------ net/core/sysctl_net_core.c | 2 +- 7 files changed, 67 insertions(+), 53 deletions(-) -- 2.25.1
