Hi Andrew, I've reivewed this now and you can add: Acked-by: Luis Chamberlain <mcgrof@xxxxxxxxxx> Luis On Mon, Apr 25, 2022 at 02:46:51PM -0700, Andrew Morton wrote: > > The patch titled > Subject: proc/sysctl: make protected_* world readable > has been removed from the -mm tree. Its filename was > proc-sysctl-make-protected_-world-readable.patch > > This patch was dropped because it is obsolete > > ------------------------------------------------------ > From: Julius Hemanth Pitti <jpitti@xxxxxxxxx> > Subject: proc/sysctl: make protected_* world readable > > protected_* files have 600 permissions which prevents non-superuser from > reading them. > > Container like "AWS greengrass" refuse to launch unless > protected_hardlinks and protected_symlinks are set. When containers like > these run with "userns-remap" or "--user" mapping container's root to > non-superuser on host, they fail to run due to denied read access to these > files. > > As these protections are hardly a secret, and do not possess any security > risk, making them world readable. > > Though above greengrass usecase needs read access to only > protected_hardlinks and protected_symlinks files, setting all other > protected_* files to 644 to keep consistency. > > Link: http://lkml.kernel.org/r/20200709235115.56954-1-jpitti@xxxxxxxxx > Fixes: 800179c9b8a1 ("fs: add link restrictions") > Signed-off-by: Julius Hemanth Pitti <jpitti@xxxxxxxxx> > Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: Iurii Zaikin <yzaikin@xxxxxxxxxx> > Cc: Luis Chamberlain <mcgrof@xxxxxxxxxx> > Cc: Ingo Molnar <mingo@xxxxxxx> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > --- > > fs/namei.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > --- a/fs/namei.c~proc-sysctl-make-protected_-world-readable > +++ a/fs/namei.c > @@ -1031,7 +1031,7 @@ static struct ctl_table namei_sysctls[] > .procname = "protected_symlinks", > .data = &sysctl_protected_symlinks, > .maxlen = sizeof(int), > - .mode = 0600, > + .mode = 0644, > .proc_handler = proc_dointvec_minmax, > .extra1 = SYSCTL_ZERO, > .extra2 = SYSCTL_ONE, > @@ -1040,7 +1040,7 @@ static struct ctl_table namei_sysctls[] > .procname = "protected_hardlinks", > .data = &sysctl_protected_hardlinks, > .maxlen = sizeof(int), > - .mode = 0600, > + .mode = 0644, > .proc_handler = proc_dointvec_minmax, > .extra1 = SYSCTL_ZERO, > .extra2 = SYSCTL_ONE, > @@ -1049,7 +1049,7 @@ static struct ctl_table namei_sysctls[] > .procname = "protected_fifos", > .data = &sysctl_protected_fifos, > .maxlen = sizeof(int), > - .mode = 0600, > + .mode = 0644, > .proc_handler = proc_dointvec_minmax, > .extra1 = SYSCTL_ZERO, > .extra2 = SYSCTL_TWO, > @@ -1058,7 +1058,7 @@ static struct ctl_table namei_sysctls[] > .procname = "protected_regular", > .data = &sysctl_protected_regular, > .maxlen = sizeof(int), > - .mode = 0600, > + .mode = 0644, > .proc_handler = proc_dointvec_minmax, > .extra1 = SYSCTL_ZERO, > .extra2 = SYSCTL_TWO, > _ > > Patches currently in -mm which might be from jpitti@xxxxxxxxx are > >
