diff --git a/debian/changelog b/debian/changelog index 0a2ed1a17..6d799114d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,8 @@ linux-2.6 (2.6.37-1) UNRELEASED; urgency=low * Set ABI to 1 * Add aufs2.1, marked as staging (Closes: #573189, #613248) * fs/notify: Enable FANOTIFY (Closes: #599877) + * acer-wmi, aic94xx, asus_acpi, iscsi, janz-ican3, rtc-ds1511, tc1100-wmi: + Restrict write permissions on files in procfs/sysfs [ Aurelien Jarno ] * [sh4] Export cpu_core_map to fix build failure with CONFIG_SFC=m. diff --git a/debian/patches/bugfix/all/net-can-janz-ican3-world-writable-sysfs-termination-.patch b/debian/patches/bugfix/all/net-can-janz-ican3-world-writable-sysfs-termination-.patch new file mode 100644 index 000000000..dd041f71a --- /dev/null +++ b/debian/patches/bugfix/all/net-can-janz-ican3-world-writable-sysfs-termination-.patch @@ -0,0 +1,30 @@ +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 02:23:53 +0000 +Subject: [PATCH 4/9] net: can: janz-ican3: world-writable sysfs termination file + +commit 1e6d93e45b231b3ae87c01902ede2315aacfe976 upstream. + +Don't allow everybody to set terminator via sysfs. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: David S. Miller +--- + drivers/net/can/janz-ican3.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/net/can/janz-ican3.c b/drivers/net/can/janz-ican3.c +index b9a6d7a..366f5cc 100644 +--- a/drivers/net/can/janz-ican3.c ++++ b/drivers/net/can/janz-ican3.c +@@ -1618,7 +1618,7 @@ static ssize_t ican3_sysfs_set_term(struct device *dev, + return count; + } + +-static DEVICE_ATTR(termination, S_IWUGO | S_IRUGO, ican3_sysfs_show_term, ++static DEVICE_ATTR(termination, S_IWUSR | S_IRUGO, ican3_sysfs_show_term, + ican3_sysfs_set_term); + + static struct attribute *ican3_sysfs_attrs[] = { +-- +1.7.2.3 + diff --git a/debian/patches/bugfix/all/rtc-rtc-ds1511-world-writable-sysfs-nvram-file.patch b/debian/patches/bugfix/all/rtc-rtc-ds1511-world-writable-sysfs-nvram-file.patch new file mode 100644 index 000000000..2b56188be --- /dev/null +++ b/debian/patches/bugfix/all/rtc-rtc-ds1511-world-writable-sysfs-nvram-file.patch @@ -0,0 +1,29 @@ +From: Vasiliy Kulikov +Subject: [PATCH 17/20] rtc: rtc-ds1511: world-writable sysfs nvram file +Date: Fri, 4 Feb 2011 15:24:06 +0300 + +Don't allow everybogy to write to NVRAM. + +Signed-off-by: Vasiliy Kulikov +--- + Compile tested only. + + drivers/rtc/rtc-ds1511.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/rtc/rtc-ds1511.c b/drivers/rtc/rtc-ds1511.c +index 37268e9..afeb546 100644 +--- a/drivers/rtc/rtc-ds1511.c ++++ b/drivers/rtc/rtc-ds1511.c +@@ -485,7 +485,7 @@ ds1511_nvram_write(struct file *filp, struct kobject *kobj, + static struct bin_attribute ds1511_nvram_attr = { + .attr = { + .name = "nvram", +- .mode = S_IRUGO | S_IWUGO, ++ .mode = S_IRUGO | S_IWUSR, + }, + .size = DS1511_RAM_MAX, + .read = ds1511_nvram_read, +-- +1.7.0.4 + diff --git a/debian/patches/bugfix/all/scsi-aic94xx-world-writable-sysfs-update_bios-file.patch b/debian/patches/bugfix/all/scsi-aic94xx-world-writable-sysfs-update_bios-file.patch new file mode 100644 index 000000000..6565bfe94 --- /dev/null +++ b/debian/patches/bugfix/all/scsi-aic94xx-world-writable-sysfs-update_bios-file.patch @@ -0,0 +1,29 @@ +From: Vasiliy Kulikov +Subject: [PATCH 18/20] scsi: aic94xx: world-writable sysfs update_bios file +Date: Fri, 4 Feb 2011 15:24:10 +0300 + +Don't allow everybody to load firmware. + +Signed-off-by: Vasiliy Kulikov +--- + Compile tested only. + + drivers/scsi/aic94xx/aic94xx_init.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/scsi/aic94xx/aic94xx_init.c b/drivers/scsi/aic94xx/aic94xx_init.c +index 3b7e83d..d5ff142 100644 +--- a/drivers/scsi/aic94xx/aic94xx_init.c ++++ b/drivers/scsi/aic94xx/aic94xx_init.c +@@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(struct device *dev, + flash_error_table[i].reason); + } + +-static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO, ++static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR, + asd_show_update_bios, asd_store_update_bios); + + static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha) +-- +1.7.0.4 + diff --git a/debian/patches/bugfix/all/scsi-iscsi-world-writable-sysfs-priv_sess-file.patch b/debian/patches/bugfix/all/scsi-iscsi-world-writable-sysfs-priv_sess-file.patch new file mode 100644 index 000000000..fb47bd925 --- /dev/null +++ b/debian/patches/bugfix/all/scsi-iscsi-world-writable-sysfs-priv_sess-file.patch @@ -0,0 +1,29 @@ +From: Vasiliy Kulikov +Subject: [PATCH 19/20] scsi: iscsi: world-writable sysfs priv_sess file +Date: Fri, 4 Feb 2011 15:24:14 +0300 + +Don't allow everybody to change iSCSI settings. + +Signed-off-by: Vasiliy Kulikov +--- + Compile tested only. + + drivers/scsi/scsi_transport_iscsi.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index f905ecb..01543d2 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -1847,7 +1847,7 @@ store_priv_session_##field(struct device *dev, \ + #define iscsi_priv_session_rw_attr(field, format) \ + iscsi_priv_session_attr_show(field, format) \ + iscsi_priv_session_attr_store(field) \ +-static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUGO, \ ++static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUSR, \ + show_priv_session_##field, \ + store_priv_session_##field) + iscsi_priv_session_rw_attr(recovery_tmo, "%d"); +-- +1.7.0.4 + diff --git a/debian/patches/bugfix/x86/platform-x86-acer-wmi-world-writable-sysfs-threeg-fi.patch b/debian/patches/bugfix/x86/platform-x86-acer-wmi-world-writable-sysfs-threeg-fi.patch new file mode 100644 index 000000000..9d452d1c8 --- /dev/null +++ b/debian/patches/bugfix/x86/platform-x86-acer-wmi-world-writable-sysfs-threeg-fi.patch @@ -0,0 +1,30 @@ +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 15:23:56 +0300 +Subject: [PATCH 7/9] platform: x86: acer-wmi: world-writable sysfs threeg file + +commit a6414907541a44db0586b894b0f19b3be6457da3 upstream. + +Don't allow everybody to write to hardware registers. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/acer-wmi.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c +index c5c4b8c..a7bcad7 100644 +--- a/drivers/platform/x86/acer-wmi.c ++++ b/drivers/platform/x86/acer-wmi.c +@@ -1280,7 +1280,7 @@ static ssize_t set_bool_threeg(struct device *dev, + return -EINVAL; + return count; + } +-static DEVICE_ATTR(threeg, S_IWUGO | S_IRUGO | S_IWUSR, show_bool_threeg, ++static DEVICE_ATTR(threeg, S_IRUGO | S_IWUSR, show_bool_threeg, + set_bool_threeg); + + static ssize_t show_interface(struct device *dev, struct device_attribute *attr, +-- +1.7.2.3 + diff --git a/debian/patches/bugfix/x86/platform-x86-asus_acpi-world-writable-procfs-files.patch b/debian/patches/bugfix/x86/platform-x86-asus_acpi-world-writable-procfs-files.patch new file mode 100644 index 000000000..cf38d4cf8 --- /dev/null +++ b/debian/patches/bugfix/x86/platform-x86-asus_acpi-world-writable-procfs-files.patch @@ -0,0 +1,39 @@ +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 15:23:59 +0300 +Subject: [PATCH 8/9] platform: x86: asus_acpi: world-writable procfs files + +commit e75b7eb5716256c52a123a467be25fb5e03fa930 upstream. + +Don't allow everybody to change ACPI settings. The comment says that it +is done deliberatelly, however, the comment before disp_proc_write() +says that at least one of these setting is experimental. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/asus_acpi.c | 8 +------- + 1 files changed, 1 insertions(+), 7 deletions(-) + +diff --git a/drivers/platform/x86/asus_acpi.c b/drivers/platform/x86/asus_acpi.c +index 4633fd8..fe49593 100644 +--- a/drivers/platform/x86/asus_acpi.c ++++ b/drivers/platform/x86/asus_acpi.c +@@ -1081,14 +1081,8 @@ static int asus_hotk_add_fs(struct acpi_device *device) + struct proc_dir_entry *proc; + mode_t mode; + +- /* +- * If parameter uid or gid is not changed, keep the default setting for +- * our proc entries (-rw-rw-rw-) else, it means we care about security, +- * and then set to -rw-rw---- +- */ +- + if ((asus_uid == 0) && (asus_gid == 0)) { +- mode = S_IFREG | S_IRUGO | S_IWUGO; ++ mode = S_IFREG | S_IRUGO | S_IWUSR | S_IWGRP; + } else { + mode = S_IFREG | S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP; + printk(KERN_WARNING " asus_uid and asus_gid parameters are " +-- +1.7.2.3 + diff --git a/debian/patches/bugfix/x86/platform-x86-tc1100-wmi-world-writable-sysfs-wireles.patch b/debian/patches/bugfix/x86/platform-x86-tc1100-wmi-world-writable-sysfs-wireles.patch new file mode 100644 index 000000000..4b6bbb608 --- /dev/null +++ b/debian/patches/bugfix/x86/platform-x86-tc1100-wmi-world-writable-sysfs-wireles.patch @@ -0,0 +1,30 @@ +From: Vasiliy Kulikov +Date: Fri, 4 Feb 2011 15:24:03 +0300 +Subject: [PATCH 9/9] platform: x86: tc1100-wmi: world-writable sysfs wireless and jogdial files + +commit 9f6c8b9930b72876dbd934e8563818cfb5e481e2 upstream. + +Don't allow everybody to change WMI settings. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/tc1100-wmi.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/platform/x86/tc1100-wmi.c b/drivers/platform/x86/tc1100-wmi.c +index 1fe0f1f..865ef78 100644 +--- a/drivers/platform/x86/tc1100-wmi.c ++++ b/drivers/platform/x86/tc1100-wmi.c +@@ -162,7 +162,7 @@ set_bool_##value(struct device *dev, struct device_attribute *attr, \ + return -EINVAL; \ + return count; \ + } \ +-static DEVICE_ATTR(value, S_IWUGO | S_IRUGO | S_IWUSR, \ ++static DEVICE_ATTR(value, S_IRUGO | S_IWUSR, \ + show_bool_##value, set_bool_##value); + + show_set_bool(wireless, TC1100_INSTANCE_WIRELESS); +-- +1.7.2.3 + diff --git a/debian/patches/series/1 b/debian/patches/series/1 index 55664612c..b38587003 100644 --- a/debian/patches/series/1 +++ b/debian/patches/series/1 @@ -14,3 +14,11 @@ + features/all/aufs2/aufs2-add.patch # mark as staging/crap + features/all/aufs2/mark-as-staging.patch + ++ bugfix/all/net-can-janz-ican3-world-writable-sysfs-termination-.patch ++ bugfix/x86/platform-x86-acer-wmi-world-writable-sysfs-threeg-fi.patch ++ bugfix/x86/platform-x86-asus_acpi-world-writable-procfs-files.patch ++ bugfix/x86/platform-x86-tc1100-wmi-world-writable-sysfs-wireles.patch ++ bugfix/all/rtc-rtc-ds1511-world-writable-sysfs-nvram-file.patch ++ bugfix/all/scsi-aic94xx-world-writable-sysfs-update_bios-file.patch ++ bugfix/all/scsi-iscsi-world-writable-sysfs-priv_sess-file.patch