commit 38ef4c2e437d11b5922723504b62824e96761459
Author: Serge E. Hallyn
Date: Wed Dec 8 15:19:01 2010 +0000
syslog: check cap_syslog when dmesg_restrict
Eric Paris pointed out that it doesn't make sense to require
both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions.
So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict
is set.
(I'm also consolidating the now common error path)
commit ce6ada35bdf710d16582cc4869c26722547e6f11
Author: Serge E. Hallyn
Date: Thu Nov 25 17:11:32 2010 +0000
security: Define CAP_SYSLOG
Privileged syslog operations currently require CAP_SYS_ADMIN. Split
this off into a new CAP_SYSLOG privilege which we can sanely take away
from a container through the capability bounding set.
With this patch, an lxc container can be prevented from messing with
the host's syslog (i.e. dmesg -c).
Changelog: mar 12 2010: add selinux capability2:cap_syslog perm
Changelog: nov 22 2010:
. port to new kernel
. add a WARN_ONCE if userspace isn't using CAP_SYSLOG
introduced new CAP_SYSLOG capability and changed required capability
for syslog operations from CAP_SYS_ADMIN to CAP_SYSLOG:
int do_syslog(int type, char __user *buf, int len, bool from_file)
{
[..]
if (type == SYSLOG_ACTION_OPEN || !from_file) {
if (dmesg_restrict && !capable(CAP_SYSLOG))
goto warn; /* switch to return -EPERM after 2.6.39 */
if ((type != SYSLOG_ACTION_READ_ALL &&
type != SYSLOG_ACTION_SIZE_BUFFER) &&
!capable(CAP_SYSLOG))
goto warn; /* switch to return -EPERM after 2.6.39 */
}
[...]
It also broke my syslog-ng
[ 22.387886] ------------[ cut here ]------------
[ 22.387899] WARNING: at kernel/printk.c:429 do_syslog+0x427/0x452()
[ 22.387903] Hardware name: Aspire 5741G
[ 22.387905] Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated and denied).
[..] Call Trace [..]
The problem, is that setcap still don't know about CAP_SYSLOG
# setcap 'cap_sys_admin=+pe' syslog-ng
# setcap 'cap_syslog=+pe' syslog-ng
fatal error: Invalid argument
usage: setcap [-q] [-v] (-r|-|
Note
No comments:
Post a Comment