From: Eric Paris <eparis@redhat.com>
Subject: [RHEL5 Patch] 219230 Remove capability requirement to reading 	cap-bound
Date: Fri, 22 Dec 2006 15:37:46 -0500
Bugzilla: 219230
Message-Id: <1166819866.23016.78.camel@localhost.localdomain>
Changelog: Remove capability requirement to reading cap-bound


BZ 219230

Reading /proc/sys/kernel/cap-bound requires CAP_SYS_MODULE.  (see
proc_dointvec_bset in kernel/sysctl.c)

sysctl appears to drive all over proc reading everything it can get it's
hands on and is complaining when it is being denied access to read
cap-bound.  Clearly writing to cap-bound should be a sensitive operation
but requiring CAP_SYS_MODULE to read cap-bound seems a bit to strong.  I
believe the information could with reasonable certainty be obtained by
looking at a bunch of the output of /proc/pid/status which has very low
security protection, so at best we are just getting a little obfuscation
of information.

Currently SELinux policy has to 'dontaudit' capability checks for
CAP_SYS_MODULE for things like sysctl which just want to read cap-bound.
In doing so we also as a by product have to hide warnings of potential
exploits such as if at some time sysctl actually tried to load a
module.

I have tested this by booting and trying to read cap-bound in a domain
which selinux does not grant CAP_SYS_MODULE and it works.  It also will
not let me write to cap-bound in that domain so all is as expected.

This patch has been accepted into -mm in the last couple days but I'm
not certain when it is expected to be in linus's tree.

http://lkml.org/lkml/2006/12/15/166

-Eric

--- linux-2.6.18.i686/kernel/sysctl.c.pre.write
+++ linux-2.6.18.i686/kernel/sysctl.c
@@ -1930,7 +1930,7 @@ int proc_dointvec_bset(ctl_table *table,
 {
 	int op;
 
-	if (!capable(CAP_SYS_MODULE)) {
+	if (write && !capable(CAP_SYS_MODULE)) {
 		return -EPERM;
 	}