diff options
| author |   Richard Weinberger <richard@nod.at> | 2011-03-23 16:43:11 -0700 |
|---|---|---|
| committer |   Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-23 19:46:54 -0700 |
| commit | bfdc0b497faa82a0ba2f9dddcf109231dd519fcc (patch) | |
| tree | 932897262447dacb7158b81209748a295d93e20b /init/main.c | |
| parent | sysctl: add some missing input constraint checks (diff) | |
| download | linux-dev-bfdc0b497faa82a0ba2f9dddcf109231dd519fcc.tar.xz linux-dev-bfdc0b497faa82a0ba2f9dddcf109231dd519fcc.zip | |
sysctl: restrict write access to dmesg_restrict
When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the kernel
ring buffer. But a root user without CAP_SYS_ADMIN is able to reset
dmesg_restrict to 0.
This is an issue when e.g. LXC (Linux Containers) are used and complete
user space is running without CAP_SYS_ADMIN. A unprivileged and jailed
root user can bypass the dmesg_restrict protection.
With this patch writing to dmesg_restrict is only allowed when root has
CAP_SYS_ADMIN.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Serge E. Hallyn <serge@hallyn.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Kees Cook <kees.cook@canonical.com>
Cc: James Morris <jmorris@namei.org>
Cc: Eugene Teo <eugeneteo@kernel.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions