git.baikalelectronics.ru Git - kernel.git/commit

author	Julius Hemanth Pitti <jpitti@cisco.com>
	Fri, 13 May 2022 23:58:15 +0000 (16:58 -0700)
committer	Andrew Morton <akpm@linux-foundation.org>
	Fri, 13 May 2022 23:58:15 +0000 (16:58 -0700)
commit	5c997a19ab5a36c0c9e356ea65d7c6f737939689
tree	3fd6171000d852799cbeb1a1637882d4185e79bd	tree \| snapshot
parent	6538fc18f2dd5aace1380bd87c8cad7d06da7da8	commit \| diff

proc/sysctl: make protected_* world readable

protected_* files have 600 permissions which prevents non-superuser from
reading them.

Container like "AWS greengrass" refuse to launch unless
protected_hardlinks and protected_symlinks are set. When containers like
these run with "userns-remap" or "--user" mapping container's root to
non-superuser on host, they fail to run due to denied read access to these
files.

As these protections are hardly a secret, and do not possess any security
risk, making them world readable.

Though above greengrass usecase needs read access to only
protected_hardlinks and protected_symlinks files, setting all other
protected_* files to 644 to keep consistency.

Link: http://lkml.kernel.org/r/20200709235115.56954-1-jpitti@cisco.com
Fixes: 63ac9416fc20 ("fs: add link restrictions")
Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Iurii Zaikin <yzaikin@google.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>