Commit 002345925e6c45861f60db6f4fc6236713fd8847
Committed by
James Morris
James Morris
1 parent
0719aaf5ea
Exists in
master
and in
7 other branches
syslog: distinguish between /proc/kmsg and syscalls
This allows the LSM to distinguish between syslog functions originating from /proc/kmsg access and direct syscalls. By default, the commoncaps will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg file descriptor. For example the kernel syslog reader can now drop privileges after opening /proc/kmsg, instead of staying privileged with CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged behavior. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Showing 8 changed files with 59 additions and 22 deletions Side-by-side Diff
fs/proc/kmsg.c
| ... | ... | @@ -12,37 +12,37 @@ |
| 12 | 12 | #include <linux/poll.h> |
| 13 | 13 | #include <linux/proc_fs.h> |
| 14 | 14 | #include <linux/fs.h> |
| 15 | +#include <linux/syslog.h> | |
| 15 | 16 | |
| 16 | 17 | #include <asm/uaccess.h> |
| 17 | 18 | #include <asm/io.h> |
| 18 | 19 | |
| 19 | 20 | extern wait_queue_head_t log_wait; |
| 20 | 21 | |
| 21 | -extern int do_syslog(int type, char __user *bug, int count); | |
| 22 | - | |
| 23 | 22 | static int kmsg_open(struct inode * inode, struct file * file) |
| 24 | 23 | { |
| 25 | - return do_syslog(1,NULL,0); | |
| 24 | + return do_syslog(1, NULL, 0, SYSLOG_FROM_FILE); | |
| 26 | 25 | } |
| 27 | 26 | |
| 28 | 27 | static int kmsg_release(struct inode * inode, struct file * file) |
| 29 | 28 | { |
| 30 | - (void) do_syslog(0,NULL,0); | |
| 29 | + (void) do_syslog(0, NULL, 0, SYSLOG_FROM_FILE); | |
| 31 | 30 | return 0; |
| 32 | 31 | } |
| 33 | 32 | |
| 34 | 33 | static ssize_t kmsg_read(struct file *file, char __user *buf, |
| 35 | 34 | size_t count, loff_t *ppos) |
| 36 | 35 | { |
| 37 | - if ((file->f_flags & O_NONBLOCK) && !do_syslog(9, NULL, 0)) | |
| 36 | + if ((file->f_flags & O_NONBLOCK) && | |
| 37 | + !do_syslog(9, NULL, 0, SYSLOG_FROM_FILE)) | |
| 38 | 38 | return -EAGAIN; |
| 39 | - return do_syslog(2, buf, count); | |
| 39 | + return do_syslog(2, buf, count, SYSLOG_FROM_FILE); | |
| 40 | 40 | } |
| 41 | 41 | |
| 42 | 42 | static unsigned int kmsg_poll(struct file *file, poll_table *wait) |
| 43 | 43 | { |
| 44 | 44 | poll_wait(file, &log_wait, wait); |
| 45 | - if (do_syslog(9, NULL, 0)) | |
| 45 | + if (do_syslog(9, NULL, 0, SYSLOG_FROM_FILE)) | |
| 46 | 46 | return POLLIN | POLLRDNORM; |
| 47 | 47 | return 0; |
| 48 | 48 | } |
include/linux/security.h
| ... | ... | @@ -76,7 +76,7 @@ |
| 76 | 76 | extern int cap_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp); |
| 77 | 77 | extern int cap_task_setioprio(struct task_struct *p, int ioprio); |
| 78 | 78 | extern int cap_task_setnice(struct task_struct *p, int nice); |
| 79 | -extern int cap_syslog(int type); | |
| 79 | +extern int cap_syslog(int type, bool from_file); | |
| 80 | 80 | extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); |
| 81 | 81 | |
| 82 | 82 | struct msghdr; |
| ... | ... | @@ -1349,6 +1349,7 @@ |
| 1349 | 1349 | * logging to the console. |
| 1350 | 1350 | * See the syslog(2) manual page for an explanation of the @type values. |
| 1351 | 1351 | * @type contains the type of action. |
| 1352 | + * @from_file indicates the context of action (if it came from /proc). | |
| 1352 | 1353 | * Return 0 if permission is granted. |
| 1353 | 1354 | * @settime: |
| 1354 | 1355 | * Check permission to change the system time. |
| ... | ... | @@ -1463,7 +1464,7 @@ |
| 1463 | 1464 | int (*sysctl) (struct ctl_table *table, int op); |
| 1464 | 1465 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); |
| 1465 | 1466 | int (*quota_on) (struct dentry *dentry); |
| 1466 | - int (*syslog) (int type); | |
| 1467 | + int (*syslog) (int type, bool from_file); | |
| 1467 | 1468 | int (*settime) (struct timespec *ts, struct timezone *tz); |
| 1468 | 1469 | int (*vm_enough_memory) (struct mm_struct *mm, long pages); |
| 1469 | 1470 | |
| ... | ... | @@ -1762,7 +1763,7 @@ |
| 1762 | 1763 | int security_sysctl(struct ctl_table *table, int op); |
| 1763 | 1764 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); |
| 1764 | 1765 | int security_quota_on(struct dentry *dentry); |
| 1765 | -int security_syslog(int type); | |
| 1766 | +int security_syslog(int type, bool from_file); | |
| 1766 | 1767 | int security_settime(struct timespec *ts, struct timezone *tz); |
| 1767 | 1768 | int security_vm_enough_memory(long pages); |
| 1768 | 1769 | int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); |
| 1769 | 1770 | |
| ... | ... | @@ -2008,9 +2009,9 @@ |
| 2008 | 2009 | return 0; |
| 2009 | 2010 | } |
| 2010 | 2011 | |
| 2011 | -static inline int security_syslog(int type) | |
| 2012 | +static inline int security_syslog(int type, bool from_file) | |
| 2012 | 2013 | { |
| 2013 | - return cap_syslog(type); | |
| 2014 | + return cap_syslog(type, from_file); | |
| 2014 | 2015 | } |
| 2015 | 2016 | |
| 2016 | 2017 | static inline int security_settime(struct timespec *ts, struct timezone *tz) |
include/linux/syslog.h
| 1 | +/* Syslog internals | |
| 2 | + * | |
| 3 | + * Copyright 2010 Canonical, Ltd. | |
| 4 | + * Author: Kees Cook <kees.cook@canonical.com> | |
| 5 | + * | |
| 6 | + * This program is free software; you can redistribute it and/or modify | |
| 7 | + * it under the terms of the GNU General Public License as published by | |
| 8 | + * the Free Software Foundation; either version 2, or (at your option) | |
| 9 | + * any later version. | |
| 10 | + * | |
| 11 | + * This program is distributed in the hope that it will be useful, | |
| 12 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 13 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 14 | + * GNU General Public License for more details. | |
| 15 | + * | |
| 16 | + * You should have received a copy of the GNU General Public License | |
| 17 | + * along with this program; see the file COPYING. If not, write to | |
| 18 | + * the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
| 19 | + */ | |
| 20 | + | |
| 21 | +#ifndef _LINUX_SYSLOG_H | |
| 22 | +#define _LINUX_SYSLOG_H | |
| 23 | + | |
| 24 | +#define SYSLOG_FROM_CALL 0 | |
| 25 | +#define SYSLOG_FROM_FILE 1 | |
| 26 | + | |
| 27 | +int do_syslog(int type, char __user *buf, int count, bool from_file); | |
| 28 | + | |
| 29 | +#endif /* _LINUX_SYSLOG_H */ |
kernel/printk.c
| ... | ... | @@ -35,6 +35,7 @@ |
| 35 | 35 | #include <linux/kexec.h> |
| 36 | 36 | #include <linux/ratelimit.h> |
| 37 | 37 | #include <linux/kmsg_dump.h> |
| 38 | +#include <linux/syslog.h> | |
| 38 | 39 | |
| 39 | 40 | #include <asm/uaccess.h> |
| 40 | 41 | |
| 41 | 42 | |
| ... | ... | @@ -273,14 +274,14 @@ |
| 273 | 274 | * 9 -- Return number of unread characters in the log buffer |
| 274 | 275 | * 10 -- Return size of the log buffer |
| 275 | 276 | */ |
| 276 | -int do_syslog(int type, char __user *buf, int len) | |
| 277 | +int do_syslog(int type, char __user *buf, int len, bool from_file) | |
| 277 | 278 | { |
| 278 | 279 | unsigned i, j, limit, count; |
| 279 | 280 | int do_clear = 0; |
| 280 | 281 | char c; |
| 281 | 282 | int error = 0; |
| 282 | 283 | |
| 283 | - error = security_syslog(type); | |
| 284 | + error = security_syslog(type, from_file); | |
| 284 | 285 | if (error) |
| 285 | 286 | return error; |
| 286 | 287 | |
| ... | ... | @@ -417,7 +418,7 @@ |
| 417 | 418 | |
| 418 | 419 | SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) |
| 419 | 420 | { |
| 420 | - return do_syslog(type, buf, len); | |
| 421 | + return do_syslog(type, buf, len, SYSLOG_FROM_CALL); | |
| 421 | 422 | } |
| 422 | 423 | |
| 423 | 424 | /* |
security/commoncap.c
| ... | ... | @@ -27,6 +27,7 @@ |
| 27 | 27 | #include <linux/sched.h> |
| 28 | 28 | #include <linux/prctl.h> |
| 29 | 29 | #include <linux/securebits.h> |
| 30 | +#include <linux/syslog.h> | |
| 30 | 31 | |
| 31 | 32 | /* |
| 32 | 33 | * If a non-root user executes a setuid-root binary in |
| 33 | 34 | |
| 34 | 35 | |
| ... | ... | @@ -888,12 +889,16 @@ |
| 888 | 889 | /** |
| 889 | 890 | * cap_syslog - Determine whether syslog function is permitted |
| 890 | 891 | * @type: Function requested |
| 892 | + * @from_file: Whether this request came from an open file (i.e. /proc) | |
| 891 | 893 | * |
| 892 | 894 | * Determine whether the current process is permitted to use a particular |
| 893 | 895 | * syslog function, returning 0 if permission is granted, -ve if not. |
| 894 | 896 | */ |
| 895 | -int cap_syslog(int type) | |
| 897 | +int cap_syslog(int type, bool from_file) | |
| 896 | 898 | { |
| 899 | + /* /proc/kmsg can open be opened by CAP_SYS_ADMIN */ | |
| 900 | + if (type != 1 && from_file) | |
| 901 | + return 0; | |
| 897 | 902 | if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) |
| 898 | 903 | return -EPERM; |
| 899 | 904 | return 0; |
security/security.c
| ... | ... | @@ -203,9 +203,9 @@ |
| 203 | 203 | return security_ops->quota_on(dentry); |
| 204 | 204 | } |
| 205 | 205 | |
| 206 | -int security_syslog(int type) | |
| 206 | +int security_syslog(int type, bool from_file) | |
| 207 | 207 | { |
| 208 | - return security_ops->syslog(type); | |
| 208 | + return security_ops->syslog(type, from_file); | |
| 209 | 209 | } |
| 210 | 210 | |
| 211 | 211 | int security_settime(struct timespec *ts, struct timezone *tz) |
security/selinux/hooks.c
| ... | ... | @@ -76,6 +76,7 @@ |
| 76 | 76 | #include <linux/selinux.h> |
| 77 | 77 | #include <linux/mutex.h> |
| 78 | 78 | #include <linux/posix-timers.h> |
| 79 | +#include <linux/syslog.h> | |
| 79 | 80 | |
| 80 | 81 | #include "avc.h" |
| 81 | 82 | #include "objsec.h" |
| 82 | 83 | |
| ... | ... | @@ -2049,11 +2050,11 @@ |
| 2049 | 2050 | return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); |
| 2050 | 2051 | } |
| 2051 | 2052 | |
| 2052 | -static int selinux_syslog(int type) | |
| 2053 | +static int selinux_syslog(int type, bool from_file) | |
| 2053 | 2054 | { |
| 2054 | 2055 | int rc; |
| 2055 | 2056 | |
| 2056 | - rc = cap_syslog(type); | |
| 2057 | + rc = cap_syslog(type, from_file); | |
| 2057 | 2058 | if (rc) |
| 2058 | 2059 | return rc; |
| 2059 | 2060 |
security/smack/smack_lsm.c
| ... | ... | @@ -157,12 +157,12 @@ |
| 157 | 157 | * |
| 158 | 158 | * Returns 0 on success, error code otherwise. |
| 159 | 159 | */ |
| 160 | -static int smack_syslog(int type) | |
| 160 | +static int smack_syslog(int type, bool from_file) | |
| 161 | 161 | { |
| 162 | 162 | int rc; |
| 163 | 163 | char *sp = current_security(); |
| 164 | 164 | |
| 165 | - rc = cap_syslog(type); | |
| 165 | + rc = cap_syslog(type, from_file); | |
| 166 | 166 | if (rc != 0) |
| 167 | 167 | return rc; |
| 168 | 168 |