Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict

[Petr Matousek <pmatouse () redhat com>]

On Wed, Oct 26, 2011 at 01:43:16PM -0400, Dan Rosenberg wrote:
> On Wed, Oct 26, 2011 at 11:16 AM, Petr Matousek <pmatouse () redhat com> wrote:
> > When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the
> > kernel ring buffer. But a root user without CAP_SYS_ADMIN is able
> > to reset dmesg_restrict to 0.
>
> Minor correction: CAP_SYSLOG is needed to read the kernel ring buffer,
> with CAP_SYS_ADMIN being a fallback for legacy reasons.  But it's
> correct that CAP_SYS_ADMIN is now required to modify the sysctl.

RHEL uses only CAP_SYS_ADMIN. I haven't checked upstream for
correctness of the description.

> I also agree with Vasiliy's point that LXC security boundaries in the
> mainline kernel are not well defined at this point, so the whole thing
> is a bit silly.

Just wondering - do you usually ack patches that you consider silly?

Petr

> -Dan