From 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 Mon Sep 17 00:00:00 2001 From: Sebastian Schmidt Date: Sun, 19 Oct 2014 20:05:15 +0200 Subject: pstore: Honor dmesg_restrict sysctl on dmesg dumps When the kernel.dmesg_restrict restriction is in place, only users with CAP_SYSLOG should be able to access crash dumps (like: attacker is trying to exploit a bug, watchdog reboots, attacker can happily read crash dumps and logs). This puts the restriction on console-* types as well as sensitive information could have been leaked there. Other log types are unaffected. Signed-off-by: Sebastian Schmidt Acked-by: Kees Cook Signed-off-by: Tony Luck --- include/linux/syslog.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux') diff --git a/include/linux/syslog.h b/include/linux/syslog.h index 98a3153c0f96..9def5297dbb7 100644 --- a/include/linux/syslog.h +++ b/include/linux/syslog.h @@ -48,5 +48,6 @@ #define SYSLOG_FROM_PROC 1 int do_syslog(int type, char __user *buf, int count, bool from_file); +int check_syslog_permissions(int type, bool from_file); #endif /* _LINUX_SYSLOG_H */ -- cgit v1.2.3 From 069fb0b63722f8c9f8b4bbce236793626c89af33 Mon Sep 17 00:00:00 2001 From: Sebastian Schmidt Date: Fri, 14 Nov 2014 10:51:45 -0800 Subject: syslog: Provide stub check_syslog_permissions When building without CONFIG_PRINTK, we need to provide a stub check_syslog_permissions. As there is no way to turn on the dmesg_restrict sysctl without CONFIG_PRINTK, return success. Reported-by: Jim Davis Signed-off-by: Sebastian Schmidt Acked-by: Kees Cook Signed-off-by: Tony Luck --- include/linux/syslog.h | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'include/linux') diff --git a/include/linux/syslog.h b/include/linux/syslog.h index 9def5297dbb7..4b7b875a7ce1 100644 --- a/include/linux/syslog.h +++ b/include/linux/syslog.h @@ -48,6 +48,14 @@ #define SYSLOG_FROM_PROC 1 int do_syslog(int type, char __user *buf, int count, bool from_file); + +#ifdef CONFIG_PRINTK int check_syslog_permissions(int type, bool from_file); +#else +static inline int check_syslog_permissions(int type, bool from_file) +{ + return 0; +} +#endif #endif /* _LINUX_SYSLOG_H */ -- cgit v1.2.3