From: Eric Paris <eparis@redhat.com> Subject: [RHEL5 Patch] 219230 Remove capability requirement to reading cap-bound Date: Fri, 22 Dec 2006 15:37:46 -0500 Bugzilla: 219230 Message-Id: <1166819866.23016.78.camel@localhost.localdomain> Changelog: Remove capability requirement to reading cap-bound BZ 219230 Reading /proc/sys/kernel/cap-bound requires CAP_SYS_MODULE. (see proc_dointvec_bset in kernel/sysctl.c) sysctl appears to drive all over proc reading everything it can get it's hands on and is complaining when it is being denied access to read cap-bound. Clearly writing to cap-bound should be a sensitive operation but requiring CAP_SYS_MODULE to read cap-bound seems a bit to strong. I believe the information could with reasonable certainty be obtained by looking at a bunch of the output of /proc/pid/status which has very low security protection, so at best we are just getting a little obfuscation of information. Currently SELinux policy has to 'dontaudit' capability checks for CAP_SYS_MODULE for things like sysctl which just want to read cap-bound. In doing so we also as a by product have to hide warnings of potential exploits such as if at some time sysctl actually tried to load a module. I have tested this by booting and trying to read cap-bound in a domain which selinux does not grant CAP_SYS_MODULE and it works. It also will not let me write to cap-bound in that domain so all is as expected. This patch has been accepted into -mm in the last couple days but I'm not certain when it is expected to be in linus's tree. http://lkml.org/lkml/2006/12/15/166 -Eric --- linux-2.6.18.i686/kernel/sysctl.c.pre.write +++ linux-2.6.18.i686/kernel/sysctl.c @@ -1930,7 +1930,7 @@ int proc_dointvec_bset(ctl_table *table, { int op; - if (!capable(CAP_SYS_MODULE)) { + if (write && !capable(CAP_SYS_MODULE)) { return -EPERM; }