On 2016-04-15 00:41, Kees Cook wrote:
On Thu, Apr 14, 2016 at 6:02 PM, Linus Torvalds
<torva...@linux-foundation.org> wrote:
On Thu, Apr 14, 2016 at 1:27 PM, Emrah Demir <e...@abdsec.com> wrote:
On 2016-04-14 13:40, Linus Torvalds wrote:
I've pushed out my attempt at fixing things properly. Please check
that kexec works - and if kexec ends up reading that file as non-root,
I don't know what to say/do.
Here's the three relevant cases:
cat /proc/iomem
sudo cat /proc/iomem
sudo cat < /proc/iomem
and two of them will now show the resource ranges as just plain
zeroes. But yes, it needed extra infrastructure to be able to get this
right.
Yup, that's why I was saying I was going to try to cook something up
for -next. It isn't a trivial change. :) Thanks for fixing it up!
file_ns_capable bring some problems. I used capable and now there is no
problem as far as I tested.
It'is attached.
Note: I couldn't write "Noted-by:, Reported-by:" Could you write them
From 3f17bf8b1e9e129cdaf478a9e83a648b27f6fe73 Mon Sep 17 00:00:00 2001
From: Emrah Demir <e...@abdsec.com>
Date: Fri, 15 Apr 2016 18:34:12 +0300
Subject: [PATCH] /proc/iomem: only expose physical resource addresses to top
user fixing capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In commit 51d7b120418e99d6b3bf8df9eb3cc31e8171dee4
file_ns_capable used in order to show value as 0, but while building
some problems coming up.
kernel/resource.c: In function âr_showâ:
kernel/resource.c:116:23: error: âstruct seq_fileâ has no member named âfileâ
if (file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) {
^
scripts/Makefile.build:291: recipe for target 'kernel/resource.o' failed
make[1]: *** [kernel/resource.o] Error 1
so instead of file_ns_capable using capable solves problem.
It's now working.
ltr@reces-0:~$ cat /proc/iomem
00000000-00000000 : reserved
00000000-00000000 : System RAM
00000000-00000000 : reserved
00000000-00000000 : PCI Bus 0000:00
00000000-00000000 : Video ROM
00000000-00000000 : Adapter ROM
00000000-00000000 : reserved
root@reces-0:/home/ltr# cat /proc/iomem
00000000-00000fff : reserved
00001000-0009dbff : System RAM
0009dc00-0009ffff : reserved
000a0000-000bffff : PCI Bus 0000:00
000c0000-000cedff : Video ROM
000cf000-000cffff : Adapter ROM
000e0000-000fffff : reserved
Signed-off-by: Emrah Demir <e...@abdsec.com>
---
kernel/resource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index c7727db..52a27e3 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -113,7 +113,7 @@ static int r_show(struct seq_file *m, void *v)
if (p->parent == root)
break;
- if (file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) {
+ if (capable(CAP_SYS_ADMIN)) {
start = r->start;
end = r->end;
} else {
--
2.8.0.rc3
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
