diff options
| -rw-r--r-- | Documentation/sysctl/kernel.txt | 2 | ||||
| -rw-r--r-- | kernel/printk.c | 20 |
2 files changed, 11 insertions, 11 deletions
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 209e1584c3dc..574067194f38 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt | |||
| @@ -219,7 +219,7 @@ dmesg_restrict: | |||
| 219 | This toggle indicates whether unprivileged users are prevented from using | 219 | This toggle indicates whether unprivileged users are prevented from using |
| 220 | dmesg(8) to view messages from the kernel's log buffer. When | 220 | dmesg(8) to view messages from the kernel's log buffer. When |
| 221 | dmesg_restrict is set to (0) there are no restrictions. When | 221 | dmesg_restrict is set to (0) there are no restrictions. When |
| 222 | dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use | 222 | dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use |
| 223 | dmesg(8). | 223 | dmesg(8). |
| 224 | 224 | ||
| 225 | The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default | 225 | The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default |
diff --git a/kernel/printk.c b/kernel/printk.c index 0712380737b3..0cecba059666 100644 --- a/kernel/printk.c +++ b/kernel/printk.c | |||
| @@ -279,18 +279,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) | |||
| 279 | * at open time. | 279 | * at open time. |
| 280 | */ | 280 | */ |
| 281 | if (type == SYSLOG_ACTION_OPEN || !from_file) { | 281 | if (type == SYSLOG_ACTION_OPEN || !from_file) { |
| 282 | if (dmesg_restrict && !capable(CAP_SYS_ADMIN)) | 282 | if (dmesg_restrict && !capable(CAP_SYSLOG)) |
| 283 | return -EPERM; | 283 | goto warn; /* switch to return -EPERM after 2.6.39 */ |
| 284 | if ((type != SYSLOG_ACTION_READ_ALL && | 284 | if ((type != SYSLOG_ACTION_READ_ALL && |
| 285 | type != SYSLOG_ACTION_SIZE_BUFFER) && | 285 | type != SYSLOG_ACTION_SIZE_BUFFER) && |
| 286 | !capable(CAP_SYSLOG)) { | 286 | !capable(CAP_SYSLOG)) |
| 287 | /* remove after 2.6.38 */ | 287 | goto warn; /* switch to return -EPERM after 2.6.39 */ |
| 288 | if (capable(CAP_SYS_ADMIN)) | ||
| 289 | WARN_ONCE(1, "Attempt to access syslog with " | ||
| 290 | "CAP_SYS_ADMIN but no CAP_SYSLOG " | ||
| 291 | "(deprecated and denied).\n"); | ||
| 292 | return -EPERM; | ||
| 293 | } | ||
| 294 | } | 288 | } |
| 295 | 289 | ||
| 296 | error = security_syslog(type); | 290 | error = security_syslog(type); |
| @@ -434,6 +428,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) | |||
| 434 | } | 428 | } |
| 435 | out: | 429 | out: |
| 436 | return error; | 430 | return error; |
| 431 | warn: | ||
| 432 | /* remove after 2.6.39 */ | ||
| 433 | if (capable(CAP_SYS_ADMIN)) | ||
| 434 | WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN " | ||
| 435 | "but no CAP_SYSLOG (deprecated and denied).\n"); | ||
| 436 | return -EPERM; | ||
| 437 | } | 437 | } |
| 438 | 438 | ||
| 439 | SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) | 439 | SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) |