On Tue, Apr 9, 2013 at 6:33 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > On Tue, Apr 9, 2013 at 8:48 AM, Josh Boyer <jwboyer@xxxxxxxxxx> wrote: >> The dmesg_restrict sysctl currently covers the syslog method for access >> dmesg, however /dev/kmsg isn't covered by the same protections. Most >> people haven't noticed because util-linux dmesg(1) defaults to using the >> syslog method for access in older versions. With util-linux dmesg(1) >> defaults to reading directly from /dev/kmsg. >> >> Fix this by reworking all of the access methods to use the >> check_syslog_permissions function and adding checks to devkmsg_open and >> devkmsg_read. >> >> This fixes https://bugzilla.redhat.com/show_bug.cgi?id=903192 >> >> Reported-by: Christian Kujau <lists@xxxxxxxxxxxxxxx> >> CC: stable@xxxxxxxxxxxxxxx >> Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> >> Signed-off-by: Josh Boyer <jwboyer@xxxxxxxxxx> > > Thanks! > > Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> If that's the version currently in Fedora, we just cannot do this. https://bugzilla.redhat.com/show_bug.cgi?id=952655 /dev/kmsg is supposed, and was added, to be a sane alternative to syslog(). It is already used in dmesg(1) which is now broken with this patch. The access rules for /dev/kmsg should follow the access rules of syslog(), and not be any stricter. Thanks, Kay -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html