On Wed, Oct 4, 2017 at 7:28 PM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Wed, Oct 4, 2017 at 10:08 AM, Linus Torvalds > <torva...@linux-foundation.org> wrote: >> >> So I honestly doubt the value of kptr_restrict. Any *sane* policy >> pretty much has to be in the caller, and by thinking about what you >> print out. IOW, things like proc_pid_wchan(). > > Looking at /proc/kallsyms is actually a prime example of this. > > IOW, the old "open /proc/kallsyms as a normal user, then make it stdin > for some suid-root program that can be fooled to output it probably > works on it.
Actually, /proc/kallsyms uses %pK, which hacks around this issue by checking for `euid != uid` in addition to the capability check - so this isn't exploitable through a typical setuid program.
