[13/13] android: ram_console: honor dmesg_restrict

Message ID	1331157503-3413-14-git-send-email-john.stultz@linaro.org
State	Superseded
Headers	show Return-Path: <patch+caf_=linaro-patchwork=canonical.com@linaro.org> Received-SPF: pass (google.com: domain of jstultz@us.ibm.com designates 32.97.110.158 as permitted sender) client-ip=32.97.110.158; Gateway: Authorized Use Only! Violators will be prosecuted for <patches@linaro.org> from <jstultz@us.ibm.com>; Wed, 7 Mar 2012 14:58:37 -0700 Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 7 Mar 2012 14:58:35 -0700 From: John Stultz <john.stultz@linaro.org> To: lkml <linux-kernel@vger.kernel.org> Cc: Nick Kralevich <nnk@google.com>, Greg KH <gregkh@linuxfoundation.org>, Android Kernel Team <kernel-team@android.com>, John Stultz <john.stultz@linaro.org> Subject: [PATCH 13/13] android: ram_console: honor dmesg_restrict Date: Wed, 7 Mar 2012 13:58:23 -0800 Message-Id: <1331157503-3413-14-git-send-email-john.stultz@linaro.org> In-Reply-To: <1331157503-3413-1-git-send-email-john.stultz@linaro.org> References: <1331157503-3413-1-git-send-email-john.stultz@linaro.org>

Message ID

1331157503-3413-14-git-send-email-john.stultz@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: domain of jstultz@us.ibm.com designates
	32.97.110.158 as permitted sender) client-ip=32.97.110.158; 
From: John Stultz <john.stultz@linaro.org>
To: lkml <linux-kernel@vger.kernel.org>
Cc: Nick Kralevich <nnk@google.com>, Greg KH <gregkh@linuxfoundation.org>,
	Android Kernel Team <kernel-team@android.com>,
	John Stultz <john.stultz@linaro.org>
Subject: [PATCH 13/13] android: ram_console: honor dmesg_restrict
Date: Wed,  7 Mar 2012 13:58:23 -0800
Message-Id: <1331157503-3413-14-git-send-email-john.stultz@linaro.org>
In-Reply-To: <1331157503-3413-1-git-send-email-john.stultz@linaro.org>
References: <1331157503-3413-1-git-send-email-john.stultz@linaro.org>

Commit Message

John Stultz March 7, 2012, 9:58 p.m. UTC

From: Nick Kralevich <nnk@google.com>

The Linux kernel has a setting called dmesg_restrict. When true,
only processes with CAP_SYSLOG can view the kernel dmesg logs. This
helps prevent leaking of kernel information into user space.

On Android, it's possible to bypass these restrictions by viewing
/proc/last_kmsg.

This change makes /proc/last_kmsg require the same permissions as
dmesg.

Bug: 5555691
CC: Greg KH <gregkh@linuxfoundation.org>
CC: Android Kernel Team <kernel-team@android.com>
Change-Id: I50ecb74012ef2ac0a3cff7325192634341fddae9
Signed-off-by: Nick Kralevich <nnk@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 drivers/staging/android/ram_console.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/drivers/staging/android/ram_console.c b/drivers/staging/android/ram_console.c
index d956b84..b242be2 100644
--- a/drivers/staging/android/ram_console.c
+++ b/drivers/staging/android/ram_console.c
@@ -99,6 +99,9 @@  static ssize_t ram_console_read_old(struct file *file, char __user *buf,
 	char *str;
 	int ret;
 
+	if (dmesg_restrict && !capable(CAP_SYSLOG))
+		return -EPERM;
+
 	/* Main last_kmsg log */
 	if (pos < old_log_size) {
 		count = min(len, (size_t)(old_log_size - pos));

[13/13] android: ram_console: honor dmesg_restrict

Commit Message

Patch