From 7c9bf63f9a5559811ffdc17e6dc70cb8df4a5bf6 Mon Sep 17 00:00:00 2001
From: "Stephen D. Smalley" <sds@epoch.ncsc.mil>
Date: Thu, 6 Feb 2003 12:37:12 +1100
Subject: [PATCH] LSM: Add LSM syslog hook to 2.5.59

This patch adds the LSM security_syslog hook for controlling the
syslog(2) interface relative to 2.5.59 plus the previously posted
security_sysctl patch.  In response to earlier comments by Christoph,
the existing capability check for syslog(2) is moved into the
capability security module hook function, and a corresponding dummy
security module hook function is defined that provides traditional
superuser behavior.  The LSM hook is placed in do_syslog rather than
sys_syslog so that it is called when either the system call interface
or the /proc/kmsg interface is used.  SELinux uses this hook to
control access to the kernel message ring and to the console log
level.
---
 kernel/printk.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'kernel/printk.c')

diff --git a/kernel/printk.c b/kernel/printk.c
index 9f2eb4b45669..853ac68708ae 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -28,6 +28,7 @@
 #include <linux/config.h>
 #include <linux/delay.h>
 #include <linux/smp.h>
+#include <linux/security.h>
 
 #include <asm/uaccess.h>
 
@@ -161,6 +162,10 @@ int do_syslog(int type, char * buf, int len)
 	char c;
 	int error = 0;
 
+	error = security_syslog(type);
+	if (error)
+		return error;
+
 	switch (type) {
 	case 0:		/* Close log */
 		break;
@@ -273,8 +278,6 @@ out:
 
 asmlinkage long sys_syslog(int type, char * buf, int len)
 {
-	if ((type != 3) && !capable(CAP_SYS_ADMIN))
-		return -EPERM;
 	return do_syslog(type, buf, len);
 }
 
-- 
cgit v1.2.3