Revert "pstore: Honor dmesg_restrict sysctl on dmesg dumps"

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with
various conflict clean-ups.

The capability check required too much privilege compared to simple DAC
controls. A system builder was forced to have crash handler processes
run with CAP_SYSLOG which would give it the ability to read (and wipe)
the _current_ dmesg, which is much more access than being given access
only to the historical log stored in pstorefs.

With the prior commit to make the root directory 0750, the files are
protected by default but a system builder can now opt to give access
to a specific group (via chgrp on the pstorefs root directory) without
being forced to also give away CAP_SYSLOG.

Suggested-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Petr Mladek <pmladek@suse.cz>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

Kees Cook 8 years ago c71b02e4 d7caa336

+1 -33

3 changed files

expand all

pstore

inode.c

include

linux

syslog.h

kernel

printk

printk.c

-22

fs/pstore/inode.c

··· 36 36 #include <linux/slab.h> 37 37 #include <linux/spinlock.h> 38 38 #include <linux/uaccess.h> 39 - #include <linux/syslog.h> 40 39 41 40 #include "internal.h" 42 41 ··· 131 132 .show = pstore_ftrace_seq_show, 132 133 }; 133 134 134 - static int pstore_check_syslog_permissions(struct pstore_private *ps) 135 - { 136 - switch (ps->record->type) { 137 - case PSTORE_TYPE_DMESG: 138 - case PSTORE_TYPE_CONSOLE: 139 - return check_syslog_permissions(SYSLOG_ACTION_READ_ALL, 140 - SYSLOG_FROM_READER); 141 - default: 142 - return 0; 143 - } 144 - } 145 - 146 135 static ssize_t pstore_file_read(struct file *file, char __user *userbuf, 147 136 size_t count, loff_t *ppos) 148 137 { ··· 149 162 struct seq_file *sf; 150 163 int err; 151 164 const struct seq_operations *sops = NULL; 152 - 153 - err = pstore_check_syslog_permissions(ps); 154 - if (err) 155 - return err; 156 165 157 166 if (ps->record->type == PSTORE_TYPE_FTRACE) 158 167 sops = &pstore_ftrace_seq_ops; ··· 187 204 { 188 205 struct pstore_private *p = d_inode(dentry)->i_private; 189 206 struct pstore_record *record = p->record; 190 - int err; 191 - 192 - err = pstore_check_syslog_permissions(p); 193 - if (err) 194 - return err; 195 207 196 208 if (!record->psi->erase) 197 209 return -EPERM;

-9

include/linux/syslog.h

··· 49 49 50 50 int do_syslog(int type, char __user *buf, int count, int source); 51 51 52 - #ifdef CONFIG_PRINTK 53 - int check_syslog_permissions(int type, int source); 54 - #else 55 - static inline int check_syslog_permissions(int type, int source) 56 - { 57 - return 0; 58 - } 59 - #endif 60 - 61 52 #endif /* _LINUX_SYSLOG_H */

+1 -2

kernel/printk/printk.c

··· 649 649 type != SYSLOG_ACTION_SIZE_BUFFER; 650 650 } 651 651 652 - int check_syslog_permissions(int type, int source) 652 + static int check_syslog_permissions(int type, int source) 653 653 { 654 654 /* 655 655 * If this is from /proc/kmsg and we've already opened it, then we've ··· 677 677 ok: 678 678 return security_syslog(type); 679 679 } 680 - EXPORT_SYMBOL_GPL(check_syslog_permissions); 681 680 682 681 static void append_char(char **pp, char *e, char c) 683 682 {