On Wed, Aug 23, 2017 at 7:56 AM, Luck, Tony <tony.l...@intel.com> wrote: >>> Should this not also have a capability check. Assuming file permissions >>> are sufficient for grabbing a chunk of system memory holding error >>> info doesn't seem too scary but it's at odds with a lot of other cases ? >> >> At least one of those other cases (pstore) added a capability check and now >> regret >> it. There's a thread on reverting it. Look for: >> >> Revert "pstore: Honor dmesg_restrict sysctl on dmesg dumps" > > Here's at least part of that thread: > > https://marc.info/?l=linux-kernel&m=150301241114262&w=2 > > Kees: you were OK with removing the capability check from pstore, right?
Yeah, as long as there is comparable protections. -Kees -- Kees Cook Pixel Security
