diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/Kconfig | 12 | ||||
| -rw-r--r-- | security/apparmor/lsm.c | 6 | ||||
| -rw-r--r-- | security/apparmor/policy.c | 2 | ||||
| -rw-r--r-- | security/commoncap.c | 2 |
4 files changed, 19 insertions, 3 deletions
diff --git a/security/Kconfig b/security/Kconfig index bd72ae623494..e80da955e687 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
| @@ -39,6 +39,18 @@ config KEYS_DEBUG_PROC_KEYS | |||
| 39 | 39 | ||
| 40 | If you are unsure as to whether this is required, answer N. | 40 | If you are unsure as to whether this is required, answer N. |
| 41 | 41 | ||
| 42 | config SECURITY_DMESG_RESTRICT | ||
| 43 | bool "Restrict unprivileged access to the kernel syslog" | ||
| 44 | default n | ||
| 45 | help | ||
| 46 | This enforces restrictions on unprivileged users reading the kernel | ||
| 47 | syslog via dmesg(8). | ||
| 48 | |||
| 49 | If this option is not selected, no restrictions will be enforced | ||
| 50 | unless the dmesg_restrict sysctl is explicitly set to (1). | ||
| 51 | |||
| 52 | If you are unsure how to answer this question, answer N. | ||
| 53 | |||
| 42 | config SECURITY | 54 | config SECURITY |
| 43 | bool "Enable different security models" | 55 | bool "Enable different security models" |
| 44 | depends on SYSFS | 56 | depends on SYSFS |
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index cf1de4462ccd..b7106f192b75 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -922,7 +922,7 @@ static int __init apparmor_init(void) | |||
| 922 | error = register_security(&apparmor_ops); | 922 | error = register_security(&apparmor_ops); |
| 923 | if (error) { | 923 | if (error) { |
| 924 | AA_ERROR("Unable to register AppArmor\n"); | 924 | AA_ERROR("Unable to register AppArmor\n"); |
| 925 | goto register_security_out; | 925 | goto set_init_cxt_out; |
| 926 | } | 926 | } |
| 927 | 927 | ||
| 928 | /* Report that AppArmor successfully initialized */ | 928 | /* Report that AppArmor successfully initialized */ |
| @@ -936,6 +936,9 @@ static int __init apparmor_init(void) | |||
| 936 | 936 | ||
| 937 | return error; | 937 | return error; |
| 938 | 938 | ||
| 939 | set_init_cxt_out: | ||
| 940 | aa_free_task_context(current->real_cred->security); | ||
| 941 | |||
| 939 | register_security_out: | 942 | register_security_out: |
| 940 | aa_free_root_ns(); | 943 | aa_free_root_ns(); |
| 941 | 944 | ||
| @@ -944,7 +947,6 @@ alloc_out: | |||
| 944 | 947 | ||
| 945 | apparmor_enabled = 0; | 948 | apparmor_enabled = 0; |
| 946 | return error; | 949 | return error; |
| 947 | |||
| 948 | } | 950 | } |
| 949 | 951 | ||
| 950 | security_initcall(apparmor_init); | 952 | security_initcall(apparmor_init); |
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 52cc865f1464..4f0eadee78b8 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c | |||
| @@ -306,7 +306,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix, | |||
| 306 | return ns; | 306 | return ns; |
| 307 | 307 | ||
| 308 | fail_unconfined: | 308 | fail_unconfined: |
| 309 | kzfree(ns->base.name); | 309 | kzfree(ns->base.hname); |
| 310 | fail_ns: | 310 | fail_ns: |
| 311 | kzfree(ns); | 311 | kzfree(ns); |
| 312 | return NULL; | 312 | return NULL; |
diff --git a/security/commoncap.c b/security/commoncap.c index 5e632b4857e4..04b80f9912bf 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -895,6 +895,8 @@ int cap_syslog(int type, bool from_file) | |||
| 895 | { | 895 | { |
| 896 | if (type != SYSLOG_ACTION_OPEN && from_file) | 896 | if (type != SYSLOG_ACTION_OPEN && from_file) |
| 897 | return 0; | 897 | return 0; |
| 898 | if (dmesg_restrict && !capable(CAP_SYS_ADMIN)) | ||
| 899 | return -EPERM; | ||
| 898 | if ((type != SYSLOG_ACTION_READ_ALL && | 900 | if ((type != SYSLOG_ACTION_READ_ALL && |
| 899 | type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) | 901 | type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN)) |
| 900 | return -EPERM; | 902 | return -EPERM; |