diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-10 14:18:59 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-10 14:18:59 -0500 |
commit | e0e736fc0d33861335e2a132e4f688f7fd380c61 (patch) | |
tree | d9febe9ca1ef1e24efc5e6e1e34e412316d246bd /kernel | |
parent | a08948812b30653eb2c536ae613b635a989feb6f (diff) | |
parent | aeda4ac3efc29e4d55989abd0a73530453aa69ba (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)
MAINTAINERS: Add tomoyo-dev-en ML.
SELinux: define permissions for DCB netlink messages
encrypted-keys: style and other cleanup
encrypted-keys: verify datablob size before converting to binary
trusted-keys: kzalloc and other cleanup
trusted-keys: additional TSS return code and other error handling
syslog: check cap_syslog when dmesg_restrict
Smack: Transmute labels on specified directories
selinux: cache sidtab_context_to_sid results
SELinux: do not compute transition labels on mountpoint labeled filesystems
This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running.
SELinux: merge policydb_index_classes and policydb_index_others
selinux: convert part of the sym_val_to_name array to use flex_array
selinux: convert type_val_to_struct to flex_array
flex_array: fix flex_array_put_ptr macro to be valid C
SELinux: do not set automatic i_ino in selinuxfs
selinux: rework security_netlbl_secattr_to_sid
SELinux: standardize return code handling in selinuxfs.c
SELinux: standardize return code handling in selinuxfs.c
SELinux: standardize return code handling in policydb.c
...
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/printk.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/kernel/printk.c b/kernel/printk.c index 4642a5c439eb..f64b8997fc76 100644 --- a/kernel/printk.c +++ b/kernel/printk.c | |||
@@ -273,12 +273,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) | |||
273 | * at open time. | 273 | * at open time. |
274 | */ | 274 | */ |
275 | if (type == SYSLOG_ACTION_OPEN || !from_file) { | 275 | if (type == SYSLOG_ACTION_OPEN || !from_file) { |
276 | if (dmesg_restrict && !capable(CAP_SYS_ADMIN)) | 276 | if (dmesg_restrict && !capable(CAP_SYSLOG)) |
277 | return -EPERM; | 277 | goto warn; /* switch to return -EPERM after 2.6.39 */ |
278 | if ((type != SYSLOG_ACTION_READ_ALL && | 278 | if ((type != SYSLOG_ACTION_READ_ALL && |
279 | type != SYSLOG_ACTION_SIZE_BUFFER) && | 279 | type != SYSLOG_ACTION_SIZE_BUFFER) && |
280 | !capable(CAP_SYS_ADMIN)) | 280 | !capable(CAP_SYSLOG)) |
281 | return -EPERM; | 281 | goto warn; /* switch to return -EPERM after 2.6.39 */ |
282 | } | 282 | } |
283 | 283 | ||
284 | error = security_syslog(type); | 284 | error = security_syslog(type); |
@@ -422,6 +422,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) | |||
422 | } | 422 | } |
423 | out: | 423 | out: |
424 | return error; | 424 | return error; |
425 | warn: | ||
426 | /* remove after 2.6.39 */ | ||
427 | if (capable(CAP_SYS_ADMIN)) | ||
428 | WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN " | ||
429 | "but no CAP_SYSLOG (deprecated and denied).\n"); | ||
430 | return -EPERM; | ||
425 | } | 431 | } |
426 | 432 | ||
427 | SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) | 433 | SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) |