summaryrefslogtreecommitdiff
path: root/kernel/printk.c
diff options
context:
space:
mode:
authorSerge E. Hallyn <serge@hallyn.com>2010-12-08 15:19:01 +0000
committerJames Morris <jmorris@namei.org>2010-12-09 09:48:48 +1100
commit38ef4c2e437d11b5922723504b62824e96761459 (patch)
treeccec1f38348af3c2776fc5bc0b589e14504f4b33 /kernel/printk.c
parent5c6d1125f8dbd1bfef39e38fbc2837003be78a59 (diff)
downloadlwn-38ef4c2e437d11b5922723504b62824e96761459.tar.gz
lwn-38ef4c2e437d11b5922723504b62824e96761459.zip
syslog: check cap_syslog when dmesg_restrict
Eric Paris pointed out that it doesn't make sense to require both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions. So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict is set. (I'm also consolidating the now common error path) Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: Kees Cook <kees.cook@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel/printk.c')
-rw-r--r--kernel/printk.c20
1 files changed, 10 insertions, 10 deletions
diff --git a/kernel/printk.c b/kernel/printk.c
index 0712380737b3..0cecba059666 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -279,18 +279,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
* at open time.
*/
if (type == SYSLOG_ACTION_OPEN || !from_file) {
- if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
- return -EPERM;
+ if (dmesg_restrict && !capable(CAP_SYSLOG))
+ goto warn; /* switch to return -EPERM after 2.6.39 */
if ((type != SYSLOG_ACTION_READ_ALL &&
type != SYSLOG_ACTION_SIZE_BUFFER) &&
- !capable(CAP_SYSLOG)) {
- /* remove after 2.6.38 */
- if (capable(CAP_SYS_ADMIN))
- WARN_ONCE(1, "Attempt to access syslog with "
- "CAP_SYS_ADMIN but no CAP_SYSLOG "
- "(deprecated and denied).\n");
- return -EPERM;
- }
+ !capable(CAP_SYSLOG))
+ goto warn; /* switch to return -EPERM after 2.6.39 */
}
error = security_syslog(type);
@@ -434,6 +428,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
}
out:
return error;
+warn:
+ /* remove after 2.6.39 */
+ if (capable(CAP_SYS_ADMIN))
+ WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
+ "but no CAP_SYSLOG (deprecated and denied).\n");
+ return -EPERM;
}
SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)