[PATCH RFC] Define CAP_SYSLOG

[PATCH RFC] Define CAP_SYSLOG

[Serge E. Hallyn]

Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
this off into a new CAP_SYSLOG privilege which we can sanely take away
from a container through the capability bounding set.

With this patch, an lxc container can be prevented from messing with
the host's syslog.

There is one downside to this patch:  If some site or distro currently
has syslogd/whatever running as a non-root user with cap_sys_admin+pe,
then it will need to be changed to run with cap_syslog+pe.  I don't
know if there are such sites, or if that concern means we should take
a different approach to introducing this change, or simply refuse this
change.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 include/linux/capability.h |    7 +++++--
 security/commoncap.c       |    2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 39e5ff5..837a55c 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -249,7 +249,6 @@ struct cpu_vfs_cap_data {
 /* Allow configuration of the secure attention key */
 /* Allow administration of the random device */
 /* Allow examination and configuration of disk quotas */
-/* Allow configuring the kernel's syslog (printk behaviour) */
 /* Allow setting the domainname */
 /* Allow setting the hostname */
 /* Allow calling bdflush() */
@@ -355,7 +354,11 @@ struct cpu_vfs_cap_data {
 
 #define CAP_MAC_ADMIN        33
 
-#define CAP_LAST_CAP         CAP_MAC_ADMIN
+/* Allow configuring the kernel's syslog (printk behaviour) */
+
+#define CAP_SYSLOG           34
+
+#define CAP_LAST_CAP         CAP_SYSLOG
 
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
 
diff --git a/security/commoncap.c b/security/commoncap.c
index 6166973..018985e 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -899,7 +899,7 @@ int cap_syslog(int type, bool from_file)
 	if (type != SYSLOG_ACTION_OPEN && from_file)
 		return 0;
 	if ((type != SYSLOG_ACTION_READ_ALL &&
-	     type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
+	     type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYSLOG))
 		return -EPERM;
 	return 0;
 }
-- 
1.6.1

Re: [PATCH RFC] Define CAP_SYSLOG

[Kees Cook]

Hi Serge,

On Fri, Mar 05, 2010 at 02:56:07PM -0600, Serge E. Hallyn wrote:
> Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
> this off into a new CAP_SYSLOG privilege which we can sanely take away
> from a container through the capability bounding set.

Seems like a good idea, but it'll require code changes in libcap2,
libcap-ng, as well as manpages.

I support the idea -- more stuff needs to be extracted from CAP_SYS_ADMIN,
but this is a nice distinct subsystem to do now.

Acked-By: Kees Cook <kees.cook@canonical.com>

-- 
Kees Cook
Ubuntu Security Team

Re: [PATCH RFC] Define CAP_SYSLOG

[Andrew G. Morgan]

Acked-by: Andrew G. Morgan <morgan@kernel.org>

I concur with Kees.

Cheers

Andrew

On Mon, Mar 8, 2010 at 10:58 AM, Kees Cook <kees@ubuntu.com> wrote:
> Hi Serge,
>
> On Fri, Mar 05, 2010 at 02:56:07PM -0600, Serge E. Hallyn wrote:
>> Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
>> this off into a new CAP_SYSLOG privilege which we can sanely take away
>> from a container through the capability bounding set.
>
> Seems like a good idea, but it'll require code changes in libcap2,
> libcap-ng, as well as manpages.
>
> I support the idea -- more stuff needs to be extracted from CAP_SYS_ADMIN,
> but this is a nice distinct subsystem to do now.
>
> Acked-By: Kees Cook <kees.cook@canonical.com>
>
> --
> Kees Cook
> Ubuntu Security Team
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH RFC] Define CAP_SYSLOG

[Serge E. Hallyn]

Thanks, guys - I also need to update the selinux classmap in both
kernel and policy.  Hoping to get around to that this afternoon,
but not sure.

-serge

Quoting Andrew G. Morgan (morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org):
> Acked-by: Andrew G. Morgan <morgan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
> 
> I concur with Kees.
> 
> Cheers
> 
> Andrew
> 
> On Mon, Mar 8, 2010 at 10:58 AM, Kees Cook <kees-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> wrote:
> > Hi Serge,
> >
> > On Fri, Mar 05, 2010 at 02:56:07PM -0600, Serge E. Hallyn wrote:
> >> Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
> >> this off into a new CAP_SYSLOG privilege which we can sanely take away
> >> from a container through the capability bounding set.
> >
> > Seems like a good idea, but it'll require code changes in libcap2,
> > libcap-ng, as well as manpages.
> >
> > I support the idea -- more stuff needs to be extracted from CAP_SYS_ADMIN,
> > but this is a nice distinct subsystem to do now.
> >
> > Acked-By: Kees Cook <kees.cook-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
> >
> > --
> > Kees Cook
> > Ubuntu Security Team
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >