Removal of the kernel code/data/bss resources does break kexec/kdump
Dave Young
dyoung at redhat.com
Tue Apr 19 02:04:01 PDT 2016
On 04/14/16 at 06:02pm, Linus Torvalds wrote:
> On Thu, Apr 14, 2016 at 1:27 PM, Emrah Demir <ed at abdsec.com> wrote:
> > On 2016-04-14 13:40, Linus Torvalds wrote:
> >>
> >>
> >> Actually, %pK is horrible in /proc and /sys files, and does the wrong
> >> thing.
> >
> > I agree with that, but for now there is no way to make things right in /proc
> > or /sys.
>
> Well, there is now.
>
> I've pushed out my attempt at fixing things properly. Please check
> that kexec works - and if kexec ends up reading that file as non-root,
> I don't know what to say/do.
>
Checked kexec/kdump, for kdump it will read /proc/kcore, /proc/kcore is root
only thus it will be fine with the changes.
Though in the comment of kexec_load syscall it says "for obvious reasons only
root may call it", but in the code it is using:
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
So for kexec CAP_SYS_BOOT is enough, not necessarily to be root.
It is not clear how to handle it, maybe we can assume nobody is using it as
non-root, leave it as is or just add |CAP_SYS_BOOT for /proc/iomem?
Thanks
Dave
More information about the kexec
mailing list