Commit 09ce61e2 authored Jan 05, 2024 by Jingzi Meng Committed by Kees Cook Feb 01, 2024

cap_syslog: remove CAP_SYS_ADMIN when dmesg_restrict



CAP_SYSLOG was separated from CAP_SYS_ADMIN and introduced in Linux
2.6.37 (2010-11). For a long time, certain syslog actions required
CAP_SYS_ADMIN or CAP_SYSLOG. Maybe it’s time to officially remove
CAP_SYS_ADMIN for more fine-grained control.

CAP_SYS_ADMIN was once removed but added back for backwards
compatibility reasons. In commit 38ef4c2e ("syslog: check cap_syslog
when dmesg_restrict") (2010-12), CAP_SYS_ADMIN was no longer needed. And
in commit ee24aebf ("cap_syslog: accept CAP_SYS_ADMIN for now")
(2011-02), it was accepted again. Since then, CAP_SYS_ADMIN has been
preserved.

Now that almost 13 years have passed, the legacy application may have
had enough time to be updated.

Signed-off-by: Jingzi Meng <mengjingzi@iie.ac.cn>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20240105062007.26965-1-mengjingzi@iie.ac.cn


Signed-off-by: Kees Cook <keescook@chromium.org>

parent 38b9baf1

kernel/printk/printk.c

+0 −11

Original line number	Diff line number	Diff line
		@@ -598,17 +598,6 @@ static int check_syslog_permissions(int type, int source)
		if (syslog_action_restricted(type)) {
		if (capable(CAP_SYSLOG))
		goto ok;
		/*
		* For historical reasons, accept CAP_SYS_ADMIN too, with
		* a warning.
		*/
		if (capable(CAP_SYS_ADMIN)) {
		pr_warn_once("%s (%d): Attempt to access syslog with "
		"CAP_SYS_ADMIN but no CAP_SYSLOG "
		"(deprecated).\n",
		current->comm, task_pid_nr(current));
		goto ok;
		}
		return -EPERM;
		}
		ok: