Re: [PATCH 1/1] Define CAP_SYSLOG

From: James Morris
Date: Sun Nov 28 2010 - 16:39:40 EST

Next message: Thadeu Lima de Souza Cascardo: "[PATCH] wmi: use memcmp instead of strncmp to compare GUIDs"
Previous message: Ben Hutchings: "[Fwd: Bug#604755: perf timechart: segfault inperf_session__process_events]"
In reply to: Serge E. Hallyn: "Re: [PATCH 1/1] Define CAP_SYSLOG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 25 Nov 2010, Serge E. Hallyn wrote:

> Privileged syslog operations currently require CAP_SYS_ADMIN. Split
> this off into a new CAP_SYSLOG privilege which we can sanely take away
> from a container through the capability bounding set.
>
> With this patch, an lxc container can be prevented from messing with
> the host's syslog (i.e. dmesg -c).
>
> Changelog: mar 12 2010: add selinux capability2:cap_syslog perm
> Changelog: nov 22 2010:
> . port to new kernel
> . add a WARN_ONCE if userspace isn't using CAP_SYSLOG

Applied with kernel version fix to:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thadeu Lima de Souza Cascardo: "[PATCH] wmi: use memcmp instead of strncmp to compare GUIDs"
Previous message: Ben Hutchings: "[Fwd: Bug#604755: perf timechart: segfault inperf_session__process_events]"
In reply to: Serge E. Hallyn: "Re: [PATCH 1/1] Define CAP_SYSLOG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]