Re: [PATCH] syslog: check cap_syslog when dmesg_restrict

From: Daniel J Walsh
Date: Fri Dec 10 2010 - 09:02:52 EST

Next message: Jiri Kosina: "Re: [PATCH UPDATED] poll: fix a typo in comment"
Previous message: Uwe Kleine-KÃnig: "[PATCH] trivial: fix typos concerning "consistent""
In reply to: James Morris: "Re: [PATCH] syslog: check cap_syslog when dmesg_restrict"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/08/2010 05:56 PM, James Morris wrote:
> On Wed, 8 Dec 2010, Serge E. Hallyn wrote:
>
>> Eric Paris pointed out that it doesn't make sense to require
>> both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions.
>> So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict
>> is set.
>>
>> (I'm also consolidating the now common error path)
>>
>> Signed-off-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
>
> Applied.
>
> (Please cc the lsm list with security patches).
>
>> ---
>> Documentation/sysctl/kernel.txt | 2 +-
>> kernel/printk.c | 20 ++++++++++----------
>> 2 files changed, 11 insertions(+), 11 deletions(-)
>>
>> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
>> index 209e158..5740671 100644
>> --- a/Documentation/sysctl/kernel.txt
>> +++ b/Documentation/sysctl/kernel.txt
>> @@ -219,7 +219,7 @@ dmesg_restrict:
>> This toggle indicates whether unprivileged users are prevented from using
>> dmesg(8) to view messages from the kernel's log buffer. When
>> dmesg_restrict is set to (0) there are no restrictions. When
>> -dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use
>> +dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use
>> dmesg(8).
>>
>> The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default
>> diff --git a/kernel/printk.c b/kernel/printk.c
>> index 0712380..0cecba0 100644
>> --- a/kernel/printk.c
>> +++ b/kernel/printk.c
>> @@ -279,18 +279,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
>> * at open time.
>> */
>> if (type == SYSLOG_ACTION_OPEN || !from_file) {
>> - if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
>> - return -EPERM;
>> + if (dmesg_restrict && !capable(CAP_SYSLOG))
>> + goto warn; /* switch to return -EPERM after 2.6.39 */
>> if ((type != SYSLOG_ACTION_READ_ALL &&
>> type != SYSLOG_ACTION_SIZE_BUFFER) &&
>> - !capable(CAP_SYSLOG)) {
>> - /* remove after 2.6.38 */
>> - if (capable(CAP_SYS_ADMIN))
>> - WARN_ONCE(1, "Attempt to access syslog with "
>> - "CAP_SYS_ADMIN but no CAP_SYSLOG "
>> - "(deprecated and denied).\n");
>> - return -EPERM;
>> - }
>> + !capable(CAP_SYSLOG))
>> + goto warn; /* switch to return -EPERM after 2.6.39 */
>> }
>>
>> error = security_syslog(type);
>> @@ -434,6 +428,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
>> }
>> out:
>> return error;
>> +warn:
>> + /* remove after 2.6.39 */
>> + if (capable(CAP_SYS_ADMIN))
>> + WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
>> + "but no CAP_SYSLOG (deprecated and denied).\n");
>> + return -EPERM;
>> }
>>
>> SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
>> --
>> 1.7.0.4
>>
>

Does anyone have an idea of which domains are going to be effected by
this change?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0CMvcACgkQrlYvE4MpobP++gCgyJtjhYDfgXnc0TBOGseOpF67
zHoAn3bEditZdnj/OLGInp7FeCaxNQXH
=cOvZ
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jiri Kosina: "Re: [PATCH UPDATED] poll: fix a typo in comment"
Previous message: Uwe Kleine-KÃnig: "[PATCH] trivial: fix typos concerning "consistent""
In reply to: James Morris: "Re: [PATCH] syslog: check cap_syslog when dmesg_restrict"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]