security: Define CAP_SYSLOG
Privileged syslog operations currently require CAP_SYS_ADMIN. Split this off into a new CAP_SYSLOG privilege which we can sanely take away from a container through the capability bounding set. With this patch, an lxc container can be prevented from messing with the host's syslog (i.e. dmesg -c). Changelog: mar 12 2010: add selinux capability2:cap_syslog perm Changelog: nov 22 2010: . port to new kernel . add a WARN_ONCE if userspace isn't using CAP_SYSLOG Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Acked-By: Kees Cook <kees.cook@canonical.com> Cc: James Morris <jmorris@namei.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: "Christopher J. PeBenito" <cpebenito@tresys.com> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
1d6d75684d
commit
ce6ada35bd
3 changed files with 13 additions and 4 deletions
|
@ -246,7 +246,6 @@ struct cpu_vfs_cap_data {
|
|||
/* Allow configuration of the secure attention key */
|
||||
/* Allow administration of the random device */
|
||||
/* Allow examination and configuration of disk quotas */
|
||||
/* Allow configuring the kernel's syslog (printk behaviour) */
|
||||
/* Allow setting the domainname */
|
||||
/* Allow setting the hostname */
|
||||
/* Allow calling bdflush() */
|
||||
|
@ -352,7 +351,11 @@ struct cpu_vfs_cap_data {
|
|||
|
||||
#define CAP_MAC_ADMIN 33
|
||||
|
||||
#define CAP_LAST_CAP CAP_MAC_ADMIN
|
||||
/* Allow configuring the kernel's syslog (printk behaviour) */
|
||||
|
||||
#define CAP_SYSLOG 34
|
||||
|
||||
#define CAP_LAST_CAP CAP_SYSLOG
|
||||
|
||||
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
|
||||
|
||||
|
|
|
@ -283,9 +283,15 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
|
|||
return -EPERM;
|
||||
if ((type != SYSLOG_ACTION_READ_ALL &&
|
||||
type != SYSLOG_ACTION_SIZE_BUFFER) &&
|
||||
!capable(CAP_SYS_ADMIN))
|
||||
!capable(CAP_SYSLOG)) {
|
||||
/* remove after 2.6.38 */
|
||||
if (capable(CAP_SYS_ADMIN))
|
||||
WARN_ONCE(1, "Attempt to access syslog with "
|
||||
"CAP_SYS_ADMIN but no CAP_SYSLOG "
|
||||
"(deprecated and denied).\n");
|
||||
return -EPERM;
|
||||
}
|
||||
}
|
||||
|
||||
error = security_syslog(type);
|
||||
if (error)
|
||||
|
|
|
@ -142,7 +142,7 @@ struct security_class_mapping secclass_map[] = {
|
|||
"node_bind", "name_connect", NULL } },
|
||||
{ "memprotect", { "mmap_zero", NULL } },
|
||||
{ "peer", { "recv", NULL } },
|
||||
{ "capability2", { "mac_override", "mac_admin", NULL } },
|
||||
{ "capability2", { "mac_override", "mac_admin", "syslog", NULL } },
|
||||
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
|
||||
{ "tun_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
|
|
Loading…
Reference in a new issue