Hello,
On (08/17/17 16:01), Kees Cook wrote:
> On Wed, Aug 16, 2017 at 6:29 PM, Sergey Senozhatsky
> wrote:
> > can we accidentally "leak" kernel pointers or some other critical
> > info? kptr_restrict requires CAP_SYSLOG and pstore read used to
> > require CAP_SYSLOG, but it seems that now we ca
On Wed, Aug 16, 2017 at 6:29 PM, Sergey Senozhatsky
wrote:
> can we accidentally "leak" kernel pointers or some other critical
> info? kptr_restrict requires CAP_SYSLOG and pstore read used to
> require CAP_SYSLOG, but it seems that now we can bypass it by
> letting "entirely unprivileged groups"
Hello Kees,
On (08/16/17 08:38), Kees Cook wrote:
[..]
> > so, effectively, `dmesg_restrict' does not work for pstore anymore? wouldn't
> > that be a problem? one more thing, doesn't it affect the consistency -- we
> > respect the `dmesg_restrict' restrictions, except that we ignore it when
> > ac
On Wed, Aug 16, 2017 at 12:59 AM, Sergey Senozhatsky
wrote:
> On (08/10/17 13:36), Kees Cook wrote:
> [..]
>> -static int pstore_check_syslog_permissions(struct pstore_private *ps)
>> -{
>> - switch (ps->record->type) {
>> - case PSTORE_TYPE_DMESG:
>> - case PSTORE_TYPE_CONSOLE:
>> -
On (08/10/17 13:36), Kees Cook wrote:
[..]
> -static int pstore_check_syslog_permissions(struct pstore_private *ps)
> -{
> - switch (ps->record->type) {
> - case PSTORE_TYPE_DMESG:
> - case PSTORE_TYPE_CONSOLE:
> - return check_syslog_permissions(SYSLOG_ACTION_READ_ALL,
> -
On Tue, 15 Aug 2017 17:29:38 -0700
Kees Cook wrote:
> On Tue, Aug 15, 2017 at 5:21 PM, Steven Rostedt wrote:
> > On Thu, 10 Aug 2017 13:36:35 -0700
> > Kees Cook wrote:
> >
> >> This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with
> >> various conflict clean-ups.
> >>
> >> With
On Tue, Aug 15, 2017 at 5:21 PM, Steven Rostedt wrote:
> On Thu, 10 Aug 2017 13:36:35 -0700
> Kees Cook wrote:
>
>> This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with
>> various conflict clean-ups.
>>
>> With the default root directory mode set to 0750 now, the capability
>> check
On Thu, 10 Aug 2017 13:36:35 -0700
Kees Cook wrote:
> This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with
> various conflict clean-ups.
>
> With the default root directory mode set to 0750 now, the capability
> check was redundant.
What's wrong with redundancy?
-- Steve
>
> S
On Tue, Aug 15, 2017 at 4:55 AM, Petr Mladek wrote:
> On Thu 2017-08-10 13:36:35, Kees Cook wrote:
>> This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with
>> various conflict clean-ups.
>>
>> With the default root directory mode set to 0750 now, the capability
>> check was redundant.
On Thu 2017-08-10 13:36:35, Kees Cook wrote:
> This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with
> various conflict clean-ups.
>
> With the default root directory mode set to 0750 now, the capability
> check was redundant.
>
> Suggested-by: Nick Kralevich
> Signed-off-by: Kees C
This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with
various conflict clean-ups.
With the default root directory mode set to 0750 now, the capability
check was redundant.
Suggested-by: Nick Kralevich
Signed-off-by: Kees Cook
---
fs/pstore/inode.c | 22 --
11 matches
Mail list logo
