summaryrefslogtreecommitdiffstats
path: root/kernel/printk
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2017-08-10 06:11:00 +0200
committerKees Cook <keescook@chromium.org>2017-08-18 01:29:19 +0200
commitc71b02e4d207cbcf097f9746d5f7967b22905e70 (patch)
treef3eaa286c2a932e1f348ae3b322eedd9fea9cefa /kernel/printk
parentpstore: Make default pstorefs root dir perms 0750 (diff)
downloadlinux-c71b02e4d207cbcf097f9746d5f7967b22905e70.tar.xz
linux-c71b02e4d207cbcf097f9746d5f7967b22905e70.zip
Revert "pstore: Honor dmesg_restrict sysctl on dmesg dumps"
This reverts commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3, with various conflict clean-ups. The capability check required too much privilege compared to simple DAC controls. A system builder was forced to have crash handler processes run with CAP_SYSLOG which would give it the ability to read (and wipe) the _current_ dmesg, which is much more access than being given access only to the historical log stored in pstorefs. With the prior commit to make the root directory 0750, the files are protected by default but a system builder can now opt to give access to a specific group (via chgrp on the pstorefs root directory) without being forced to also give away CAP_SYSLOG. Suggested-by: Nick Kralevich <nnk@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Petr Mladek <pmladek@suse.cz> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Diffstat (limited to 'kernel/printk')
-rw-r--r--kernel/printk/printk.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index fc47863f629c..97bda7b0655b 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -649,7 +649,7 @@ static int syslog_action_restricted(int type)
type != SYSLOG_ACTION_SIZE_BUFFER;
}
-int check_syslog_permissions(int type, int source)
+static int check_syslog_permissions(int type, int source)
{
/*
* If this is from /proc/kmsg and we've already opened it, then we've
@@ -677,7 +677,6 @@ int check_syslog_permissions(int type, int source)
ok:
return security_syslog(type);
}
-EXPORT_SYMBOL_GPL(check_syslog_permissions);
static void append_char(char **pp, char *e, char c)
{