8 files changed, 27 insertions, 35 deletions

diff --git a/security/Kconfig b/security/Kconfig
index bd72ae62349..e80da955e68 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -39,6 +39,18 @@ config KEYS_DEBUG_PROC_KEYS
 
           If you are unsure as to whether this is required, answer N.
 
+config SECURITY_DMESG_RESTRICT
+        bool "Restrict unprivileged access to the kernel syslog"
+        default n
+        help
+          This enforces restrictions on unprivileged users reading the kernel
+          syslog via dmesg(8).
+
+          If this option is not selected, no restrictions will be enforced
+          unless the dmesg_restrict sysctl is explicitly set to (1).
+
+          If you are unsure how to answer this question, answer N.
+
 config SECURITY
         bool "Enable different security models"
         depends on SYSFS
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index cf1de4462cc..b7106f192b7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -922,7 +922,7 @@ static int __init apparmor_init(void)
         error = register_security(&apparmor_ops);
         if (error) {
                 AA_ERROR("Unable to register AppArmor\n");
-                goto register_security_out;
+                goto set_init_cxt_out;
         }
 
         /* Report that AppArmor successfully initialized */
@@ -936,6 +936,9 @@ static int __init apparmor_init(void)
 
         return error;
 
+set_init_cxt_out:
+        aa_free_task_context(current->real_cred->security);
+
 register_security_out:
         aa_free_root_ns();
 
@@ -944,7 +947,6 @@ alloc_out:
 
         apparmor_enabled = 0;
         return error;
-
 }
 
 security_initcall(apparmor_init);
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 52cc865f146..4f0eadee78b 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -306,7 +306,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
         return ns;
 
 fail_unconfined:
-        kzfree(ns->base.name);
+        kzfree(ns->base.hname);
 fail_ns:
         kzfree(ns);
         return NULL;
diff --git a/security/capability.c b/security/capability.c
index 30ae00fbecd..c773635ca3a 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -17,6 +17,11 @@ static int cap_sysctl(ctl_table *table, int op)
         return 0;
 }
 
+static int cap_syslog(int type)
+{
+        return 0;
+}
+
 static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
 {
         return 0;
diff --git a/security/commoncap.c b/security/commoncap.c
index 5e632b4857e..64c2ed9c901 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,7 +27,6 @@
 #include <linux/sched.h>
 #include <linux/prctl.h>
 #include <linux/securebits.h>
-#include <linux/syslog.h>
 
 /*
  * If a non-root user executes a setuid-root binary in
@@ -884,24 +883,6 @@ error:
 }
 
 /**
- * cap_syslog - Determine whether syslog function is permitted
- * @type: Function requested
- * @from_file: Whether this request came from an open file (i.e. /proc)
- *
- * Determine whether the current process is permitted to use a particular
- * syslog function, returning 0 if permission is granted, -ve if not.
- */
-int cap_syslog(int type, bool from_file)
-{
-        if (type != SYSLOG_ACTION_OPEN && from_file)
-                return 0;
-        if ((type != SYSLOG_ACTION_READ_ALL &&
-             type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
-                return -EPERM;
-        return 0;
-}
-
-/**
  * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
  * @mm: The VM space in which the new mapping is to be made
  * @pages: The size of the mapping
diff --git a/security/security.c b/security/security.c
index 3ef5e2a7a74..1b798d3df71 100644
--- a/security/security.c
+++ b/security/security.c
@@ -197,9 +197,9 @@ int security_quota_on(struct dentry *dentry)
         return security_ops->quota_on(dentry);
 }
 
-int security_syslog(int type, bool from_file)
+int security_syslog(int type)
 {
-        return security_ops->syslog(type, from_file);
+        return security_ops->syslog(type);
 }
 
 int security_settime(struct timespec *ts, struct timezone *tz)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9154cf90ae..65fa8bf596f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1973,14 +1973,10 @@ static int selinux_quota_on(struct dentry *dentry)
         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
 }
 
-static int selinux_syslog(int type, bool from_file)
+static int selinux_syslog(int type)
 {
         int rc;
 
-        rc = cap_syslog(type, from_file);
-        if (rc)
-                return rc;
-
         switch (type) {
         case SYSLOG_ACTION_READ_ALL:    /* Read last kernel messages */
         case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bc39f4067af..489a85afa47 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -157,15 +157,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
  *
  * Returns 0 on success, error code otherwise.
  */
-static int smack_syslog(int type, bool from_file)
+static int smack_syslog(int typefrom_file)
 {
-        int rc;
+        int rc = 0;
         char *sp = current_security();
 
-        rc = cap_syslog(type, from_file);
-        if (rc != 0)
-                return rc;
-
         if (capable(CAP_MAC_OVERRIDE))
                 return 0;