linux/fs/proc
Kees Cook 637241a900 kmsg: honor dmesg_restrict sysctl on /dev/kmsg
The dmesg_restrict sysctl currently covers the syslog method for access
dmesg, however /dev/kmsg isn't covered by the same protections.  Most
people haven't noticed because util-linux dmesg(1) defaults to using the
syslog method for access in older versions.  With util-linux dmesg(1)
defaults to reading directly from /dev/kmsg.

To fix /dev/kmsg, let's compare the existing interfaces and what they
allow:

 - /proc/kmsg allows:
  - open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive
    single-reader interface (SYSLOG_ACTION_READ).
  - everything, after an open.

 - syslog syscall allows:
  - anything, if CAP_SYSLOG.
  - SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if
    dmesg_restrict==0.
  - nothing else (EPERM).

The use-cases were:
 - dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs.
 - sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the
   destructive SYSLOG_ACTION_READs.

AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't
clear the ring buffer.

Based on the comments in devkmsg_llseek, it sounds like actions besides
reading aren't going to be supported by /dev/kmsg (i.e.
SYSLOG_ACTION_CLEAR), so we have a strict subset of the non-destructive
syslog syscall actions.

To this end, move the check as Josh had done, but also rename the
constants to reflect their new uses (SYSLOG_FROM_CALL becomes
SYSLOG_FROM_READER, and SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC).
SYSLOG_FROM_READER allows non-destructive actions, and SYSLOG_FROM_PROC
allows destructive actions after a capabilities-constrained
SYSLOG_ACTION_OPEN check.

 - /dev/kmsg allows:
  - open if CAP_SYSLOG or dmesg_restrict==0
  - reading/polling, after open

Addresses https://bugzilla.redhat.com/show_bug.cgi?id=903192

[akpm@linux-foundation.org: use pr_warn_once()]
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Christian Kujau <lists@nerdbynature.de>
Tested-by: Josh Boyer <jwboyer@redhat.com>
Cc: Kay Sievers <kay@vrfy.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-06-12 16:29:44 -07:00
..
array.c kthread: Prevent unpark race which puts threads on the wrong cpu 2013-04-12 14:18:43 +02:00
base.c posix-timers: Show clock ID in proc file 2013-05-28 11:41:14 +02:00
cmdline.c
consoles.c console: rename acquire/release_console_sem() to console_lock/unlock() 2011-01-26 10:50:06 +10:00
cpuinfo.c
devices.c proc: use seq_puts()/seq_putc() where possible 2011-01-13 08:03:16 -08:00
fd.c procfs: add ability to plug in auxiliary fdinfo providers 2012-12-17 17:15:27 -08:00
fd.h proc: Move proc_fd() to fs/proc/fd.h 2013-05-01 17:29:39 -04:00
generic.c proc: Make the PROC_I() and PDE() macros internal to procfs 2013-05-01 17:29:47 -04:00
inode.c proc: Split the namespace stuff out into linux/proc_ns.h 2013-05-01 17:29:39 -04:00
internal.h Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
interrupts.c
Kconfig kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
kcore.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
kmsg.c kmsg: honor dmesg_restrict sysctl on /dev/kmsg 2013-06-12 16:29:44 -07:00
loadavg.c sched, timers: cleanup avenrun users 2009-05-15 15:32:45 +02:00
Makefile mm, vmalloc: move get_vmalloc_info() to vmalloc.c 2013-04-29 15:54:33 -07:00
meminfo.c mm, vmalloc: move get_vmalloc_info() to vmalloc.c 2013-04-29 15:54:33 -07:00
namespaces.c proc: Split the namespace stuff out into linux/proc_ns.h 2013-05-01 17:29:39 -04:00
nommu.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
page.c kpageflags: fix wrong KPF_THP on non-huge compound pages 2012-10-09 16:23:00 +09:00
proc_devtree.c proc_devtree: Replace include linux/module.h with linux/export.h 2013-05-04 15:31:01 -04:00
proc_net.c proc: Move PDE_NET() to fs/proc/proc_net.c 2013-05-01 17:29:40 -04:00
proc_sysctl.c fs/proc: clean up printks 2013-02-27 19:10:11 -08:00
proc_tty.c proc: use seq_puts()/seq_putc() where possible 2011-01-13 08:03:16 -08:00
root.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
self.c Include missing linux/slab.h inclusions 2013-04-29 15:42:01 -04:00
softirqs.c proc: use seq_puts()/seq_putc() where possible 2011-01-13 08:03:16 -08:00
stat.c stat: Use size_t for sizes instead of unsigned 2013-02-01 12:32:08 +02:00
task_mmu.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
task_nommu.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
uptime.c Merge branch 'sched/core' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into cputime-tip 2011-12-19 19:23:15 +01:00
version.c
vmcore.c proc: Supply a function to remove a proc entry by PDE 2013-05-01 17:29:46 -04:00