diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/Kconfig | 12 | ||||
| -rw-r--r-- | security/commoncap.c | 2 |
2 files changed, 14 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig index bd72ae623494..e80da955e687 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
| @@ -39,6 +39,18 @@ config KEYS_DEBUG_PROC_KEYS | |||
| 39 | 39 | ||
| 40 | If you are unsure as to whether this is required, answer N. | 40 | If you are unsure as to whether this is required, answer N. |
| 41 | 41 | ||
| 42 | config SECURITY_DMESG_RESTRICT | ||
| 43 | bool "Restrict unprivileged access to the kernel syslog" | ||
| 44 | default n | ||
| 45 | help | ||
| 46 | This enforces restrictions on unprivileged users reading the kernel | ||
| 47 | syslog via dmesg(8). | ||
| 48 | |||
| 49 | If this option is not selected, no restrictions will be enforced | ||
| 50 | unless the dmesg_restrict sysctl is explicitly set to (1). | ||
| 51 | |||
| 52 | If you are unsure how to answer this question, answer N. | ||
| 53 | |||
| 42 | config SECURITY | 54 | config SECURITY |
| 43 | bool "Enable different security models" | 55 | bool "Enable different security models" |
| 44 | depends on SYSFS | 56 | depends on SYSFS |
diff --git a/security/commoncap.c b/security/commoncap.c index 5e632b4857e4..04b80f9912bf 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -895,6 +895,8 @@ int cap_syslog(int type, bool from_file) | |||
| 895 | { | 895 | { |
| 896 | if (type != SYSLOG_ACTION_OPEN && from_file) | 896 | if (type != SYSLOG_ACTION_OPEN && from_file) |
| 897 | return 0; | 897 | return 0; |
| 898 | if (dmesg_restrict && !capable(CAP_SYS_ADMIN)) | ||
| 899 | return -EPERM; | ||
| 898 | if ((type != SYSLOG_ACTION_READ_ALL && | 900 | if ((type != SYSLOG_ACTION_READ_ALL && |
| 899 | type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) | 901 | type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) |
| 900 | return -EPERM; | 902 | return -EPERM; |