Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753879Ab0LJOCk (ORCPT <rfc822;w@1wt.eu>);
	Fri, 10 Dec 2010 09:02:40 -0500
Received: from mx1.redhat.com ([209.132.183.28]:42881 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752234Ab0LJOCj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 10 Dec 2010 09:02:39 -0500
Message-ID: <4D0232F7.6000105@redhat.com>
Date: Fri, 10 Dec 2010 09:02:31 -0500
From: Daniel J Walsh <dwalsh@redhat.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101122 Fedora/1.0-0.36.b2pre.fc15 Lightning/1.0b3pre Thunderbird/3.1.6
MIME-Version: 1.0
To: James Morris <jmorris@namei.org>
CC: "Serge E. Hallyn" <serge@hallyn.com>, Eric Paris <eparis@redhat.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Kees Cook <kees.cook@canonical.com>, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: Re: [PATCH] syslog: check cap_syslog when dmesg_restrict
References: <20101208151901.GA20557@mail.hallyn.com> <alpine.LRH.2.00.1012090956220.13177@tundra.namei.org>
In-Reply-To: <alpine.LRH.2.00.1012090956220.13177@tundra.namei.org>
X-Enigmail-Version: 1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3440
Lines: 97

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/08/2010 05:56 PM, James Morris wrote:
> On Wed, 8 Dec 2010, Serge E. Hallyn wrote:
> 
>> Eric Paris pointed out that it doesn't make sense to require
>> both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions.
>> So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict
>> is set.
>>
>> (I'm also consolidating the now common error path)
>>
>> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> 
> Applied.
> 
> (Please cc the lsm list with security patches).
> 
>> ---
>>  Documentation/sysctl/kernel.txt |    2 +-
>>  kernel/printk.c                 |   20 ++++++++++----------
>>  2 files changed, 11 insertions(+), 11 deletions(-)
>>
>> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
>> index 209e158..5740671 100644
>> --- a/Documentation/sysctl/kernel.txt
>> +++ b/Documentation/sysctl/kernel.txt
>> @@ -219,7 +219,7 @@ dmesg_restrict:
>>  This toggle indicates whether unprivileged users are prevented from using
>>  dmesg(8) to view messages from the kernel's log buffer.  When
>>  dmesg_restrict is set to (0) there are no restrictions.  When
>> -dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use
>> +dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use
>>  dmesg(8).
>>  
>>  The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default
>> diff --git a/kernel/printk.c b/kernel/printk.c
>> index 0712380..0cecba0 100644
>> --- a/kernel/printk.c
>> +++ b/kernel/printk.c
>> @@ -279,18 +279,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
>>  	 * at open time.
>>  	 */
>>  	if (type == SYSLOG_ACTION_OPEN || !from_file) {
>> -		if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
>> -			return -EPERM;
>> +		if (dmesg_restrict && !capable(CAP_SYSLOG))
>> +			goto warn; /* switch to return -EPERM after 2.6.39 */
>>  		if ((type != SYSLOG_ACTION_READ_ALL &&
>>  		     type != SYSLOG_ACTION_SIZE_BUFFER) &&
>> -		    !capable(CAP_SYSLOG)) {
>> -			/* remove after 2.6.38 */
>> -			if (capable(CAP_SYS_ADMIN))
>> -				WARN_ONCE(1, "Attempt to access syslog with "
>> -				  "CAP_SYS_ADMIN but no CAP_SYSLOG "
>> -				  "(deprecated and denied).\n");
>> -			return -EPERM;
>> -		}
>> +		    !capable(CAP_SYSLOG))
>> +			goto warn; /* switch to return -EPERM after 2.6.39 */
>>  	}
>>  
>>  	error = security_syslog(type);
>> @@ -434,6 +428,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
>>  	}
>>  out:
>>  	return error;
>> +warn:
>> +	/* remove after 2.6.39 */
>> +	if (capable(CAP_SYS_ADMIN))
>> +		WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
>> +		  "but no CAP_SYSLOG (deprecated and denied).\n");
>> +	return -EPERM;
>>  }
>>  
>>  SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
>> -- 
>> 1.7.0.4
>>
> 

Does anyone have an idea of which domains are going to be effected by
this change?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0CMvcACgkQrlYvE4MpobP++gCgyJtjhYDfgXnc0TBOGseOpF67
zHoAn3bEditZdnj/OLGInp7FeCaxNQXH
=cOvZ
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/