Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 38ef4c2e authored by Serge E. Hallyn's avatar Serge E. Hallyn Committed by James Morris
Browse files

syslog: check cap_syslog when dmesg_restrict 



Eric Paris pointed out that it doesn't make sense to require
both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions.
So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict
is set.

(I'm also consolidating the now common error path)

Signed-off-by: default avatarSerge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: default avatarEric Paris <eparis@redhat.com>
Acked-by: default avatarKees Cook <kees.cook@canonical.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 5c6d1125

Documentation/sysctl/kernel.txt

+1 −1
Original line number Diff line number Diff line
@@ -219,7 +219,7 @@ dmesg_restrict: 
This toggle indicates whether unprivileged users are prevented from using

dmesg(8) to view messages from the kernel's log buffer.  When

dmesg_restrict is set to (0) there are no restrictions.  When

dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use

dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use

dmesg(8).



The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default

kernel/printk.c

+10 −10
Original line number Diff line number Diff line
@@ -279,18 +279,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) 
	 * at open time.

	 */

	if (type == SYSLOG_ACTION_OPEN || !from_file) {

		if (dmesg_restrict && !capable(CAP_SYS_ADMIN))

			return -EPERM;

		if (dmesg_restrict && !capable(CAP_SYSLOG))

			goto warn; /* switch to return -EPERM after 2.6.39 */

		if ((type != SYSLOG_ACTION_READ_ALL &&

		     type != SYSLOG_ACTION_SIZE_BUFFER) &&

		    !capable(CAP_SYSLOG)) {

			/* remove after 2.6.38 */

			if (capable(CAP_SYS_ADMIN))

				WARN_ONCE(1, "Attempt to access syslog with "

				  "CAP_SYS_ADMIN but no CAP_SYSLOG "

				  "(deprecated and denied).\n");

			return -EPERM;

		}

		    !capable(CAP_SYSLOG))

			goto warn; /* switch to return -EPERM after 2.6.39 */

	}



	error = security_syslog(type);
@@ -434,6 +428,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) 
	}

out:

	return error;

warn:

	/* remove after 2.6.39 */

	if (capable(CAP_SYS_ADMIN))

		WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "

		  "but no CAP_SYSLOG (deprecated and denied).\n");

	return -EPERM;

}



SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)