• Eric Paris's avatar
    [PATCH] make reading /proc/sys/kernel/cap-bould not require CAP_SYS_MODULE · 6ff1b442
    Eric Paris authored
    Reading /proc/sys/kernel/cap-bound requires CAP_SYS_MODULE.  (see
    proc_dointvec_bset in kernel/sysctl.c)
    
    sysctl appears to drive all over proc reading everything it can get it's
    hands on and is complaining when it is being denied access to read
    cap-bound.  Clearly writing to cap-bound should be a sensitive operation
    but requiring CAP_SYS_MODULE to read cap-bound seems a bit to strong.  I
    believe the information could with reasonable certainty be obtained by
    looking at a bunch of the output of /proc/pid/status which has very low
    security protection, so at best we are just getting a little obfuscation of
    information.
    
    Currently SELinux policy has to 'dontaudit' capability checks for
    CAP_SYS_MODULE for things like sysctl which just want to read cap-bound.
    In doing so we also as a byproduct have to hide warnings of potential
    exploits such as if at some time that sysctl actually tried to load a
    module.  I wondered if anyone would have a problem opening cap-bound up to
    read from anyone?
    Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
    Cc: Stephen Smalley <sds@tycho.nsa.gov>
    Cc: James Morris <jmorris@namei.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    6ff1b442
sysctl.c 65.1 KB