syslog: check cap_syslog when dmesg_restrict Eric Paris pointed out that it doesn't make sense to require both CAP_SYS_ADMIN and CAP_SYSLOG for certain syslog actions. So require CAP_SYSLOG, not CAP_SYS_ADMIN, when dmesg_restrict is set. (I'm also consolidating the now common error path) Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: Kees Cook <kees.cook@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>

commit: 38ef4c2e437d11b5922723504b62824e96761459 [log] [tgz]
author: Serge E. Hallyn <serge@hallyn.com> Wed Dec 08 15:19:01 2010 +0000
committer: James Morris <jmorris@namei.org> Thu Dec 09 09:48:48 2010 +1100
tree: ccec1f38348af3c2776fc5bc0b589e14504f4b33
parent: 5c6d1125f8dbd1bfef39e38fbc2837003be78a59 [diff] [blame]
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 209e158..57406719 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt

@@ -219,7 +219,7 @@
 This toggle indicates whether unprivileged users are prevented from using
 dmesg(8) to view messages from the kernel's log buffer.  When
 dmesg_restrict is set to (0) there are no restrictions.  When
-dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use
+dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use
 dmesg(8).
 
 The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default
commit	38ef4c2e437d11b5922723504b62824e96761459	[log] [tgz]
author	Serge E. Hallyn <serge@hallyn.com>	Wed Dec 08 15:19:01 2010 +0000
committer	James Morris <jmorris@namei.org>	Thu Dec 09 09:48:48 2010 +1100
tree	ccec1f38348af3c2776fc5bc0b589e14504f4b33
parent	5c6d1125f8dbd1bfef39e38fbc2837003be78a59 [diff] [blame]