• Vasily Averin's avatar
    security_syslog() should be called once only · ce458596
    Vasily Averin authored
    commit d194e5d6 upstream.
    
    The final version of commit 637241a9 ("kmsg: honor dmesg_restrict
    sysctl on /dev/kmsg") lost few hooks, as result security_syslog() are
    processed incorrectly:
    
    - open of /dev/kmsg checks syslog access permissions by using
      check_syslog_permissions() where security_syslog() is not called if
      dmesg_restrict is set.
    
    - syslog syscall and /proc/kmsg calls do_syslog() where security_syslog
      can be executed twice (inside check_syslog_permissions() and then
      directly in do_syslog())
    
    With this patch security_syslog() is called once only in all
    syslog-related operations regardless of dmesg_restrict value.
    
    Fixes: 637241a9 ("kmsg: honor dmesg_restrict sysctl on /dev/kmsg")
    Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Josh Boyer <jwboyer@redhat.com>
    Cc: Eric Paris <eparis@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    ce458596
printk.c 72 KB