Re: [PATCH] Restrict write access to dmesg_restrict

From: WANG Cong
Date: Tue Mar 15 2011 - 09:46:45 EST

Next message: Steven Rostedt: "Re: [PATCH v2 2.6.38-rc8-tip 7/20] 7: uprobes: store/restoreoriginal instruction."
Previous message: Matthew Garrett: "Re: [Intel-gfx] [PATCH] ACPI/Intel: Rework Opregion support"
In reply to: Richard Weinberger: "Re: [PATCH] Restrict write access to dmesg_restrict"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 14 Mar 2011 20:35:56 +0100, Richard Weinberger wrote:

> When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the
> kernel ring buffer.
> But a root user without CAP_SYS_ADMIN is able to reset dmesg_restrict to
> 0.
>
> This is an issue when e.g. LXC (Linux Containers) are used and complete
> user space is running without CAP_SYS_ADMIN. A unprivileged and jailed
> root user can bypass the dmesg_restrict protection.
>
> With this patch writing to dmesg_restrict is only allowed when root has
> CAP_SYS_ADMIN.
>
> Signed-off-by: Richard Weinberger <richard@xxxxxx>

Makes sense.

Reviewed-by: WANG Cong <xiyou.wangcong@xxxxxxxxx>

Thanks.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Rostedt: "Re: [PATCH v2 2.6.38-rc8-tip 7/20] 7: uprobes: store/restoreoriginal instruction."
Previous message: Matthew Garrett: "Re: [Intel-gfx] [PATCH] ACPI/Intel: Rework Opregion support"
In reply to: Richard Weinberger: "Re: [PATCH] Restrict write access to dmesg_restrict"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]