On Mon, 2015-11-30 at 12:30 +0100, Willy Tarreau wrote: > On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote: > > On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote: > > > On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote: > > > This is wrong; see > > > <https://marc.info/?l=linux-api&m=143144321020852&w=2>. > > > > Damned, and I now remember this discussion. The worst thing is that > > I purposely booted a machine to test the fix and was happy with it, > > I forgot this point :-( > > > > > For 2.6.32 perhaps you could retain the capability check at open time > > > but store the result in private state for use at read time. > > > > I'll see if it is possible to opencode security_capable() with 2.6.32's > > infrastructure, and how far this brings us. Or maybe we should even drop > > this one completely and leave pagemap readable only for superuser on > > 2.6.32, it doesn't seem to be that big of a deal either. > > It was easy enough to open-code security_capable() in the end. I've > tested this version which works fine for me here. If that's OK for you > I'll emit an -rc2 with the last two patches. [...] > + /* do not disclose physical addresses: attack vector */ > + pm.show_pfn = !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECURITY_CAP_AUDIT); [...] But this bypasses SELinux's additional restrictions on capabilities. I think it would be better to cherry-pick this first: commit 6037b715d6fab139742c3df8851db4c823081561 Author: Chris Wright <chrisw@xxxxxxxxxxxx> Date: Wed Feb 9 22:11:51 2011 -0800 security: add cred argument to security_capable() and then you can pass file->f_cred to security_capable(). Ben. -- Ben Hutchings Who are all these weirdos? - David Bowie, reading IRC for the first time
Attachment:
signature.asc
Description: This is a digitally signed message part