From: Daniel J Walsh <dwalsh@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Eric Paris <eparis@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Kees Cook <kees.cook@canonical.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] syslog: check cap_syslog when dmesg_restrict
Date: Fri, 10 Dec 2010 09:02:31 -0500 [thread overview]
Message-ID: <4D0232F7.6000105@redhat.com> (raw)
In-Reply-To: <alpine.LRH.2.00.1012090956220.13177@tundra.namei.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/08/2010 05:56 PM, James Morris wrote:
> On Wed, 8 Dec 2010, Serge E. Hallyn wrote:
>
>> Eric Paris pointed out that it doesn't make sense to require
>> both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions.
>> So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict
>> is set.
>>
>> (I'm also consolidating the now common error path)
>>
>> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
>
> Applied.
>
> (Please cc the lsm list with security patches).
>
>> ---
>> Documentation/sysctl/kernel.txt | 2 +-
>> kernel/printk.c | 20 ++++++++++----------
>> 2 files changed, 11 insertions(+), 11 deletions(-)
>>
>> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
>> index 209e158..5740671 100644
>> --- a/Documentation/sysctl/kernel.txt
>> +++ b/Documentation/sysctl/kernel.txt
>> @@ -219,7 +219,7 @@ dmesg_restrict:
>> This toggle indicates whether unprivileged users are prevented from using
>> dmesg(8) to view messages from the kernel's log buffer. When
>> dmesg_restrict is set to (0) there are no restrictions. When
>> -dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use
>> +dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use
>> dmesg(8).
>>
>> The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default
>> diff --git a/kernel/printk.c b/kernel/printk.c
>> index 0712380..0cecba0 100644
>> --- a/kernel/printk.c
>> +++ b/kernel/printk.c
>> @@ -279,18 +279,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
>> * at open time.
>> */
>> if (type == SYSLOG_ACTION_OPEN || !from_file) {
>> - if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
>> - return -EPERM;
>> + if (dmesg_restrict && !capable(CAP_SYSLOG))
>> + goto warn; /* switch to return -EPERM after 2.6.39 */
>> if ((type != SYSLOG_ACTION_READ_ALL &&
>> type != SYSLOG_ACTION_SIZE_BUFFER) &&
>> - !capable(CAP_SYSLOG)) {
>> - /* remove after 2.6.38 */
>> - if (capable(CAP_SYS_ADMIN))
>> - WARN_ONCE(1, "Attempt to access syslog with "
>> - "CAP_SYS_ADMIN but no CAP_SYSLOG "
>> - "(deprecated and denied).\n");
>> - return -EPERM;
>> - }
>> + !capable(CAP_SYSLOG))
>> + goto warn; /* switch to return -EPERM after 2.6.39 */
>> }
>>
>> error = security_syslog(type);
>> @@ -434,6 +428,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
>> }
>> out:
>> return error;
>> +warn:
>> + /* remove after 2.6.39 */
>> + if (capable(CAP_SYS_ADMIN))
>> + WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
>> + "but no CAP_SYSLOG (deprecated and denied).\n");
>> + return -EPERM;
>> }
>>
>> SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
>> --
>> 1.7.0.4
>>
>
Does anyone have an idea of which domains are going to be effected by
this change?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0CMvcACgkQrlYvE4MpobP++gCgyJtjhYDfgXnc0TBOGseOpF67
zHoAn3bEditZdnj/OLGInp7FeCaxNQXH
=cOvZ
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2010-12-10 14:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-08 15:19 [PATCH] syslog: check cap_syslog when dmesg_restrict Serge E. Hallyn
2010-12-08 15:39 ` Eric Paris
2010-12-08 16:42 ` Serge E. Hallyn
2010-12-08 16:46 ` Eric Paris
2010-12-08 17:53 ` Kees Cook
2010-12-08 22:56 ` James Morris
2010-12-10 14:02 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D0232F7.6000105@redhat.com \
--to=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox