kmsg: honor dmesg_restrict sysctl on /dev/kmsg (637241a9) · Commits · e / devices / android_kernel_oneplus_sm8150

fs/proc/kmsg.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait;

		static int kmsg_open(struct inode * inode, struct file * file)
		{
		return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE);
		return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC);
		}

		static int kmsg_release(struct inode * inode, struct file * file)
		{
		(void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE);
		(void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC);
		return 0;
		}

		@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file file, char __user buf,
		size_t count, loff_t *ppos)
		{
		if ((file->f_flags & O_NONBLOCK) &&
		!do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
		!do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
		return -EAGAIN;
		return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE);
		return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC);
		}

		static unsigned int kmsg_poll(struct file file, poll_table wait)
		{
		poll_wait(file, &log_wait, wait);
		if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE))
		if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC))
		return POLLIN \| POLLRDNORM;
		return 0;
		}

include/linux/syslog.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -44,8 +44,8 @@
		/* Return size of the log buffer */
		#define SYSLOG_ACTION_SIZE_BUFFER 10

		#define SYSLOG_FROM_CALL 0
		#define SYSLOG_FROM_FILE 1
		#define SYSLOG_FROM_READER 0
		#define SYSLOG_FROM_PROC 1

		int do_syslog(int type, char __user *buf, int count, bool from_file);

kernel/printk.c

+50 −41

Original line number	Diff line number	Diff line
		@@ -363,6 +363,53 @@ static void log_store(int facility, int level,
		log_next_seq++;
		}

		#ifdef CONFIG_SECURITY_DMESG_RESTRICT
		int dmesg_restrict = 1;
		#else
		int dmesg_restrict;
		#endif

		static int syslog_action_restricted(int type)
		{
		if (dmesg_restrict)
		return 1;
		/*
		* Unless restricted, we allow "read all" and "get buffer size"
		* for everybody.
		*/
		return type != SYSLOG_ACTION_READ_ALL &&
		type != SYSLOG_ACTION_SIZE_BUFFER;
		}

		static int check_syslog_permissions(int type, bool from_file)
		{
		/*
		* If this is from /proc/kmsg and we've already opened it, then we've
		* already done the capabilities checks at open time.
		*/
		if (from_file && type != SYSLOG_ACTION_OPEN)
		return 0;

		if (syslog_action_restricted(type)) {
		if (capable(CAP_SYSLOG))
		return 0;
		/*
		* For historical reasons, accept CAP_SYS_ADMIN too, with
		* a warning.
		*/
		if (capable(CAP_SYS_ADMIN)) {
		pr_warn_once("%s (%d): Attempt to access syslog with "
		"CAP_SYS_ADMIN but no CAP_SYSLOG "
		"(deprecated).\n",
		current->comm, task_pid_nr(current));
		return 0;
		}
		return -EPERM;
		}
		return security_syslog(type);
		}


		/* /dev/kmsg - userspace message inject/listen interface */
		struct devkmsg_user {
		u64 seq;
		@@ -620,7 +667,8 @@ static int devkmsg_open(struct inode inode, struct file file)
		if ((file->f_flags & O_ACCMODE) == O_WRONLY)
		return 0;

		err = security_syslog(SYSLOG_ACTION_READ_ALL);
		err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL,
		SYSLOG_FROM_READER);
		if (err)
		return err;

		@@ -813,45 +861,6 @@ static inline void boot_delay_msec(int level)
		}
		#endif

		#ifdef CONFIG_SECURITY_DMESG_RESTRICT
		int dmesg_restrict = 1;
		#else
		int dmesg_restrict;
		#endif

		static int syslog_action_restricted(int type)
		{
		if (dmesg_restrict)
		return 1;
		/* Unless restricted, we allow "read all" and "get buffer size" for everybody */
		return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER;
		}

		static int check_syslog_permissions(int type, bool from_file)
		{
		/*
		* If this is from /proc/kmsg and we've already opened it, then we've
		* already done the capabilities checks at open time.
		*/
		if (from_file && type != SYSLOG_ACTION_OPEN)
		return 0;

		if (syslog_action_restricted(type)) {
		if (capable(CAP_SYSLOG))
		return 0;
		/* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
		if (capable(CAP_SYS_ADMIN)) {
		printk_once(KERN_WARNING "%s (%d): "
		"Attempt to access syslog with CAP_SYS_ADMIN "
		"but no CAP_SYSLOG (deprecated).\n",
		current->comm, task_pid_nr(current));
		return 0;
		}
		return -EPERM;
		}
		return 0;
		}

		#if defined(CONFIG_PRINTK_TIME)
		static bool printk_time = 1;
		#else
		@@ -1249,7 +1258,7 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)

		SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
		{
		return do_syslog(type, buf, len, SYSLOG_FROM_CALL);
		return do_syslog(type, buf, len, SYSLOG_FROM_READER);
		}

		/*