From d7caa33687cea218b6d68beea89d10a45a901e19 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 9 Aug 2017 20:43:17 -0700 Subject: pstore: Make default pstorefs root dir perms 0750 Currently only DMESG and CONSOLE record types are protected, and it isn't obvious that they are using a capability check. Instead switch to explicit root directory mode of 0750 to keep files private by default. This will allow the removal of the capability check, which was non-obvious and forces a process to have possibly too much privilege when simple post-boot chgrp for readers would be possible without it. Signed-off-by: Kees Cook Reviewed-by: Sergey Senozhatsky --- fs/pstore/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/pstore/inode.c b/fs/pstore/inode.c index fefd22611cf6..f1e88b695090 100644 --- a/fs/pstore/inode.c +++ b/fs/pstore/inode.c @@ -471,7 +471,7 @@ static int pstore_fill_super(struct super_block *sb, void *data, int silent) inode = pstore_get_inode(sb); if (inode) { - inode->i_mode = S_IFDIR | 0755; + inode->i_mode = S_IFDIR | 0750; inode->i_op = &pstore_dir_inode_operations; inode->i_fop = &simple_dir_operations; inc_nlink(inode); -- cgit v1.2.3 From c71b02e4d207cbcf097f9746d5f7967b22905e70 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 9 Aug 2017 21:11:00 -0700 Subject: Revert "pstore: Honor dmesg_restrict sysctl on dmesg dumps" This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with various conflict clean-ups. The capability check required too much privilege compared to simple DAC controls. A system builder was forced to have crash handler processes run with CAP_SYSLOG which would give it the ability to read (and wipe) the _current_ dmesg, which is much more access than being given access only to the historical log stored in pstorefs. With the prior commit to make the root directory 0750, the files are protected by default but a system builder can now opt to give access to a specific group (via chgrp on the pstorefs root directory) without being forced to also give away CAP_SYSLOG. Suggested-by: Nick Kralevich Signed-off-by: Kees Cook Reviewed-by: Petr Mladek Reviewed-by: Sergey Senozhatsky --- fs/pstore/inode.c | 22 ---------------------- include/linux/syslog.h | 9 --------- kernel/printk/printk.c | 3 +-- 3 files changed, 1 insertion(+), 33 deletions(-) diff --git a/fs/pstore/inode.c b/fs/pstore/inode.c index f1e88b695090..d814723fb27d 100644 --- a/fs/pstore/inode.c +++ b/fs/pstore/inode.c @@ -36,7 +36,6 @@ #include #include #include -#include #include "internal.h" @@ -132,18 +131,6 @@ static const struct seq_operations pstore_ftrace_seq_ops = { .show = pstore_ftrace_seq_show, }; -static int pstore_check_syslog_permissions(struct pstore_private *ps) -{ - switch (ps->record->type) { - case PSTORE_TYPE_DMESG: - case PSTORE_TYPE_CONSOLE: - return check_syslog_permissions(SYSLOG_ACTION_READ_ALL, - SYSLOG_FROM_READER); - default: - return 0; - } -} - static ssize_t pstore_file_read(struct file *file, char __user *userbuf, size_t count, loff_t *ppos) { @@ -163,10 +150,6 @@ static int pstore_file_open(struct inode *inode, struct file *file) int err; const struct seq_operations *sops = NULL; - err = pstore_check_syslog_permissions(ps); - if (err) - return err; - if (ps->record->type == PSTORE_TYPE_FTRACE) sops = &pstore_ftrace_seq_ops; @@ -204,11 +187,6 @@ static int pstore_unlink(struct inode *dir, struct dentry *dentry) { struct pstore_private *p = d_inode(dentry)->i_private; struct pstore_record *record = p->record; - int err; - - err = pstore_check_syslog_permissions(p); - if (err) - return err; if (!record->psi->erase) return -EPERM; diff --git a/include/linux/syslog.h b/include/linux/syslog.h index c3a7f0cc3a27..e1c3632f4e81 100644 --- a/include/linux/syslog.h +++ b/include/linux/syslog.h @@ -49,13 +49,4 @@ int do_syslog(int type, char __user *buf, int count, int source); -#ifdef CONFIG_PRINTK -int check_syslog_permissions(int type, int source); -#else -static inline int check_syslog_permissions(int type, int source) -{ - return 0; -} -#endif - #endif /* _LINUX_SYSLOG_H */ diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index fc47863f629c..97bda7b0655b 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -649,7 +649,7 @@ static int syslog_action_restricted(int type) type != SYSLOG_ACTION_SIZE_BUFFER; } -int check_syslog_permissions(int type, int source) +static int check_syslog_permissions(int type, int source) { /* * If this is from /proc/kmsg and we've already opened it, then we've @@ -677,7 +677,6 @@ int check_syslog_permissions(int type, int source) ok: return security_syslog(type); } -EXPORT_SYMBOL_GPL(check_syslog_permissions); static void append_char(char **pp, char *e, char c) { -- cgit v1.2.3