Thursday, January 13, 2011



commit 38ef4c2e437d11b5922723504b62824e96761459
Author: Serge E. Hallyn
Date:   Wed Dec 8 15:19:01 2010 +0000

    syslog: check cap_syslog when dmesg_restrict
    Eric Paris pointed out that it doesn't make sense to require
    both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions.
    So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict
    is set.
    (I'm also consolidating the now common error path)

commit ce6ada35bdf710d16582cc4869c26722547e6f11
Author: Serge E. Hallyn
Date:   Thu Nov 25 17:11:32 2010 +0000

    security: Define CAP_SYSLOG
    Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
    this off into a new CAP_SYSLOG privilege which we can sanely take away
    from a container through the capability bounding set.
    With this patch, an lxc container can be prevented from messing with
    the host's syslog (i.e. dmesg -c).
    Changelog: mar 12 2010: add selinux capability2:cap_syslog perm
    Changelog: nov 22 2010:
        . port to new kernel
        . add a WARN_ONCE if userspace isn't using CAP_SYSLOG

introduced new CAP_SYSLOG capability and changed required capability
for syslog operations from CAP_SYS_ADMIN to CAP_SYSLOG:

int do_syslog(int type, char __user *buf, int len, bool from_file)
    if (type == SYSLOG_ACTION_OPEN || !from_file) {
        if (dmesg_restrict && !capable(CAP_SYSLOG))
            goto warn; /* switch to return -EPERM after 2.6.39 */
        if ((type != SYSLOG_ACTION_READ_ALL &&
             type != SYSLOG_ACTION_SIZE_BUFFER) &&
            goto warn; /* switch to return -EPERM after 2.6.39 */


It also broke my syslog-ng
[   22.387886] ------------[ cut here ]------------
[   22.387899] WARNING: at kernel/printk.c:429 do_syslog+0x427/0x452()
[   22.387903] Hardware name: Aspire 5741G   
[   22.387905] Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated and denied).
[..] Call Trace [..]

The problem, is that setcap still don't know about CAP_SYSLOG

# setcap  'cap_sys_admin=+pe' syslog-ng
# setcap  'cap_syslog=+pe' syslog-ng
fatal error: Invalid argument
usage: setcap [-q] [-v] (-r|-|) [ ... (-r|-|) ]

 Note must be a regular (non-symlink) file.

No comments:

Post a Comment