aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/security.h9
-rw-r--r--kernel/printk.c15
-rw-r--r--security/capability.c5
-rw-r--r--security/commoncap.c21
-rw-r--r--security/security.c4
-rw-r--r--security/selinux/hooks.c6
-rw-r--r--security/smack/smack_lsm.c8
7 files changed, 28 insertions, 40 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index b8246a8df7d2..fd4d55fb8845 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -77,7 +77,6 @@ extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
77extern int cap_task_setscheduler(struct task_struct *p); 77extern int cap_task_setscheduler(struct task_struct *p);
78extern int cap_task_setioprio(struct task_struct *p, int ioprio); 78extern int cap_task_setioprio(struct task_struct *p, int ioprio);
79extern int cap_task_setnice(struct task_struct *p, int nice); 79extern int cap_task_setnice(struct task_struct *p, int nice);
80extern int cap_syslog(int type, bool from_file);
81extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); 80extern int cap_vm_enough_memory(struct mm_struct *mm, long pages);
82 81
83struct msghdr; 82struct msghdr;
@@ -1388,7 +1387,7 @@ struct security_operations {
1388 int (*sysctl) (struct ctl_table *table, int op); 1387 int (*sysctl) (struct ctl_table *table, int op);
1389 int (*quotactl) (int cmds, int type, int id, struct super_block *sb); 1388 int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
1390 int (*quota_on) (struct dentry *dentry); 1389 int (*quota_on) (struct dentry *dentry);
1391 int (*syslog) (int type, bool from_file); 1390 int (*syslog) (int type);
1392 int (*settime) (struct timespec *ts, struct timezone *tz); 1391 int (*settime) (struct timespec *ts, struct timezone *tz);
1393 int (*vm_enough_memory) (struct mm_struct *mm, long pages); 1392 int (*vm_enough_memory) (struct mm_struct *mm, long pages);
1394 1393
@@ -1671,7 +1670,7 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap);
1671int security_sysctl(struct ctl_table *table, int op); 1670int security_sysctl(struct ctl_table *table, int op);
1672int security_quotactl(int cmds, int type, int id, struct super_block *sb); 1671int security_quotactl(int cmds, int type, int id, struct super_block *sb);
1673int security_quota_on(struct dentry *dentry); 1672int security_quota_on(struct dentry *dentry);
1674int security_syslog(int type, bool from_file); 1673int security_syslog(int type);
1675int security_settime(struct timespec *ts, struct timezone *tz); 1674int security_settime(struct timespec *ts, struct timezone *tz);
1676int security_vm_enough_memory(long pages); 1675int security_vm_enough_memory(long pages);
1677int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); 1676int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
@@ -1901,9 +1900,9 @@ static inline int security_quota_on(struct dentry *dentry)
1901 return 0; 1900 return 0;
1902} 1901}
1903 1902
1904static inline int security_syslog(int type, bool from_file) 1903static inline int security_syslog(int type)
1905{ 1904{
1906 return cap_syslog(type, from_file); 1905 return 0;
1907} 1906}
1908 1907
1909static inline int security_settime(struct timespec *ts, struct timezone *tz) 1908static inline int security_settime(struct timespec *ts, struct timezone *tz)
diff --git a/kernel/printk.c b/kernel/printk.c
index 38e7d5868d60..9a2264fc42ca 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -274,7 +274,20 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
274 char c; 274 char c;
275 int error = 0; 275 int error = 0;
276 276
277 error = security_syslog(type, from_file); 277 /*
278 * If this is from /proc/kmsg we only do the capabilities checks
279 * at open time.
280 */
281 if (type == SYSLOG_ACTION_OPEN || !from_file) {
282 if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
283 return -EPERM;
284 if ((type != SYSLOG_ACTION_READ_ALL &&
285 type != SYSLOG_ACTION_SIZE_BUFFER) &&
286 !capable(CAP_SYS_ADMIN))
287 return -EPERM;
288 }
289
290 error = security_syslog(type);
278 if (error) 291 if (error)
279 return error; 292 return error;
280 293
diff --git a/security/capability.c b/security/capability.c
index 30ae00fbecd5..c773635ca3a0 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -17,6 +17,11 @@ static int cap_sysctl(ctl_table *table, int op)
17 return 0; 17 return 0;
18} 18}
19 19
20static int cap_syslog(int type)
21{
22 return 0;
23}
24
20static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) 25static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
21{ 26{
22 return 0; 27 return 0;
diff --git a/security/commoncap.c b/security/commoncap.c
index 04b80f9912bf..64c2ed9c9015 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,7 +27,6 @@
27#include <linux/sched.h> 27#include <linux/sched.h>
28#include <linux/prctl.h> 28#include <linux/prctl.h>
29#include <linux/securebits.h> 29#include <linux/securebits.h>
30#include <linux/syslog.h>
31 30
32/* 31/*
33 * If a non-root user executes a setuid-root binary in 32 * If a non-root user executes a setuid-root binary in
@@ -884,26 +883,6 @@ error:
884} 883}
885 884
886/** 885/**
887 * cap_syslog - Determine whether syslog function is permitted
888 * @type: Function requested
889 * @from_file: Whether this request came from an open file (i.e. /proc)
890 *
891 * Determine whether the current process is permitted to use a particular
892 * syslog function, returning 0 if permission is granted, -ve if not.
893 */
894int cap_syslog(int type, bool from_file)
895{
896 if (type != SYSLOG_ACTION_OPEN && from_file)
897 return 0;
898 if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
899 return -EPERM;
900 if ((type != SYSLOG_ACTION_READ_ALL &&
901 type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
902 return -EPERM;
903 return 0;
904}
905
906/**
907 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 886 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
908 * @mm: The VM space in which the new mapping is to be made 887 * @mm: The VM space in which the new mapping is to be made
909 * @pages: The size of the mapping 888 * @pages: The size of the mapping
diff --git a/security/security.c b/security/security.c
index 3ef5e2a7a741..1b798d3df710 100644
--- a/security/security.c
+++ b/security/security.c
@@ -197,9 +197,9 @@ int security_quota_on(struct dentry *dentry)
197 return security_ops->quota_on(dentry); 197 return security_ops->quota_on(dentry);
198} 198}
199 199
200int security_syslog(int type, bool from_file) 200int security_syslog(int type)
201{ 201{
202 return security_ops->syslog(type, from_file); 202 return security_ops->syslog(type);
203} 203}
204 204
205int security_settime(struct timespec *ts, struct timezone *tz) 205int security_settime(struct timespec *ts, struct timezone *tz)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9154cf90ae1..65fa8bf596f5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1973,14 +1973,10 @@ static int selinux_quota_on(struct dentry *dentry)
1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 1973 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1974} 1974}
1975 1975
1976static int selinux_syslog(int type, bool from_file) 1976static int selinux_syslog(int type)
1977{ 1977{
1978 int rc; 1978 int rc;
1979 1979
1980 rc = cap_syslog(type, from_file);
1981 if (rc)
1982 return rc;
1983
1984 switch (type) { 1980 switch (type) {
1985 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 1981 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
1986 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 1982 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bc39f4067af6..489a85afa477 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -157,15 +157,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
157 * 157 *
158 * Returns 0 on success, error code otherwise. 158 * Returns 0 on success, error code otherwise.
159 */ 159 */
160static int smack_syslog(int type, bool from_file) 160static int smack_syslog(int typefrom_file)
161{ 161{
162 int rc; 162 int rc = 0;
163 char *sp = current_security(); 163 char *sp = current_security();
164 164
165 rc = cap_syslog(type, from_file);
166 if (rc != 0)
167 return rc;
168
169 if (capable(CAP_MAC_OVERRIDE)) 165 if (capable(CAP_MAC_OVERRIDE))
170 return 0; 166 return 0;
171 167