The patch titled
apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
has been removed from the -mm tree. Its filename was
apply-security_syslog-only-to-the-syslog-syscall-not-to-proc-kmsg.patch
This patch was dropped because it was nacked by the maintainer
------------------------------------------------------
Subject: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
From: "Zack Weinberg" <zackw@xxxxxxxxx>
Presently, the security checks for syslog(2) apply also to access to
/proc/kmsg, because /proc/kmsg's file_operations functions just call
do_syslog, and the call to security_syslog is in do_syslog, not sys_syslog.
[The only callers of do_syslog are sys_syslog and
kmsg_{read,poll,open,release}.] This has the effect, with the default
security policy, that no matter what the file permissions on /proc/kmsg
are, only a process with CAP_SYS_ADMIN can actually open or read it. [Yes,
if you open /proc/kmsg as root and then drop privileges, subsequent reads
on that fd fail.] In consequence, if one wishes to run klogd as an
unprivileged user, one is forced to jump through awkward hoops - for
example, Ubuntu's /etc/init.d/klogd interposes a root-privileged "dd"
process and a named pipe between /proc/kmsg and the actual klogd.
I propose to move the security_syslog() check from do_syslog to sys_syslog,
so that the syscall remains restricted to CAP_SYS_ADMIN in the default
policy, but /proc/kmsg is governed by its file permissions. With the
attached patch, I can run klogd as an unprivileged user, having changed the
ownership of /proc/kmsg to that user before starting it, and it still
works. Equally, I can leave the ownership alone but modify klogd to get
messages from stdin, start it with stdin open on /proc/kmsg (again
unprivileged) and it works.
I think this is safe in the default security policy - /proc/kmsg starts out
owned by root and mode 400 - but I am not sure of the impact on SELinux or
other alternate policy frameworks.
Signed-off-by: Zack Weinberg <zackw@xxxxxxxxx>
Cc: Chris Wright <chrisw@xxxxxxxxxxxx>
Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>
Cc: James Morris <jmorris@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
kernel/printk.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff -puN kernel/printk.c~apply-security_syslog-only-to-the-syslog-syscall-not-to-proc-kmsg kernel/printk.c
--- a/kernel/printk.c~apply-security_syslog-only-to-the-syslog-syscall-not-to-proc-kmsg
+++ a/kernel/printk.c
@@ -187,10 +187,6 @@ int do_syslog(int type, char __user *buf
char c;
int error = 0;
- error = security_syslog(type);
- if (error)
- return error;
-
switch (type) {
case 0: /* Close log */
break;
@@ -317,6 +313,10 @@ out:
asmlinkage long sys_syslog(int type, char __user *buf, int len)
{
+ int error = security_syslog(type);
+ if (error)
+ return error;
+
return do_syslog(type, buf, len);
}
_
Patches currently in -mm which might be from zackw@xxxxxxxxx are
apply-security_syslog-only-to-the-syslog-syscall-not-to-proc-kmsg.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
