[syslog-ng] [Bug 95] Missing capabilities support for unix-stream() source

Fri Oct 15 21:02:27 CEST 2010

https://bugzilla.balabit.com/show_bug.cgi?id=95

--- Comment #4 from Balazs Scheidler <bazsi at balabit.hu>  2010-10-15 21:02:27 ---
here's the ubuntu patch that I was talking about. it may have been integrated to the upstream kernel already:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/515623

This seems to have been integrated into upstream kernel as well:

Author: Kees Cook <kees.cook at canonical.com>  2010-02-04 00:36:43
Committer: James Morris <jmorris at namei.org>  2010-02-04 04:20:12
Parent: 0719aaf5ead7555b7b7a4a080ebf2826a871384e (selinux: allow MLS->non-MLS and vice versa upon policy reload)
Child:  d78ca3cd733d8a2c3dcd88471beb1a15d973eed8 (syslog: use defined constants instead of raw numbers)
Branch: remotes/linus/master
Follows: v2.6.33-rc4
Precedes: v2.6.34-rc1

    syslog: distinguish between /proc/kmsg and syscalls

    This allows the LSM to distinguish between syslog functions originating
    from /proc/kmsg access and direct syscalls.  By default, the commoncaps
    will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg
    file descriptor.  For example the kernel syslog reader can now drop
    privileges after opening /proc/kmsg, instead of staying privileged with
    CAP_SYS_ADMIN.  MAC systems that implement security_syslog have unchanged
    behavior.

    Signed-off-by: Kees Cook <kees.cook at canonical.com>
    Acked-by: Serge Hallyn <serue at us.ibm.com>
    Acked-by: John Johansen <john.johansen at canonical.com>
    Signed-off-by: James Morris <jmorris at namei.org>

it seems to have been integrated into 2.6.34, so 2.6.35 definitely has the fix.

-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.