git.samba.org - sfrench/cifs-2.6.git/commit

author	Jingzi Meng <mengjingzi@iie.ac.cn>
	Fri, 5 Jan 2024 06:20:07 +0000 (14:20 +0800)
committer	Kees Cook <keescook@chromium.org>
	Thu, 1 Feb 2024 18:04:58 +0000 (10:04 -0800)
commit	09ce61e27db83180993e8b1a7f511af62374383c
tree	9a1ebc61a49f7ce5876c33b4561c00bc22522a1b	tree
parent	38b9baf19469a34bc487a549bcd9a4f8433d473e	commit \| diff

cap_syslog: remove CAP_SYS_ADMIN when dmesg_restrict

CAP_SYSLOG was separated from CAP_SYS_ADMIN and introduced in Linux
2.6.37 (2010-11). For a long time, certain syslog actions required
CAP_SYS_ADMIN or CAP_SYSLOG. Maybe it’s time to officially remove
CAP_SYS_ADMIN for more fine-grained control.

CAP_SYS_ADMIN was once removed but added back for backwards
compatibility reasons. In commit 38ef4c2e437d ("syslog: check cap_syslog
when dmesg_restrict") (2010-12), CAP_SYS_ADMIN was no longer needed. And
in commit ee24aebffb75 ("cap_syslog: accept CAP_SYS_ADMIN for now")
(2011-02), it was accepted again. Since then, CAP_SYS_ADMIN has been
preserved.

Now that almost 13 years have passed, the legacy application may have
had enough time to be updated.

Signed-off-by: Jingzi Meng <mengjingzi@iie.ac.cn>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20240105062007.26965-1-mengjingzi@iie.ac.cn
Signed-off-by: Kees Cook <keescook@chromium.org>