git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Richard Weinberger <richard@nod.at>
	Wed, 23 Mar 2011 23:43:11 +0000 (16:43 -0700)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Sun, 27 Mar 2011 19:00:15 +0000 (12:00 -0700)
commit	3b7aeabf65b2a0f02eb56e8dbdc0f7a144de957d
tree	0128f0d88c69d0f07d8c7366738672382eb4414f	tree \| snapshot
parent	2cbb72182bf7eb46b2088953fb8689669ccff399	commit \| diff

sysctl: restrict write access to dmesg_restrict

commit bfdc0b497faa82a0ba2f9dddcf109231dd519fcc upstream.

When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the kernel
ring buffer.  But a root user without CAP_SYS_ADMIN is able to reset
dmesg_restrict to 0.

This is an issue when e.g.  LXC (Linux Containers) are used and complete
user space is running without CAP_SYS_ADMIN.  A unprivileged and jailed
root user can bypass the dmesg_restrict protection.

With this patch writing to dmesg_restrict is only allowed when root has
CAP_SYS_ADMIN.

Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Serge E. Hallyn <serge@hallyn.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Kees Cook <kees.cook@canonical.com>
Cc: James Morris <jmorris@namei.org>
Cc: Eugene Teo <eugeneteo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>