Re: Suggestion for Capability Check Refinement in check_syslog_permissions()

From: Greg KH
Date: Wed Jan 03 2024 - 01:59:30 EST

Next message: Jason-JH Lin (林睿祥): "Re: [PATCH v3 8/9] mailbox: mediatek: Add CMDQ secure mailbox driver"
Previous message: Jason-JH Lin (林睿祥): "Re: [PATCH v3 8/9] mailbox: mediatek: Add CMDQ secure mailbox driver"
In reply to: 孟敬姿: "Suggestion for Capability Check Refinement in check_syslog_permissions()"
Next in thread: Petr Mladek: "Re: Suggestion for Capability Check Refinement in check_syslog_permissions()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 03, 2024 at 01:00:58PM +0800, 孟敬姿 wrote:
> Hi, we suggest revisiting the capability checks in
> check_syslog_permissions(). Currently CAP_SYSLOG is checked first, and
> if it’s not there but there is a CAP_SYS_ADMIN, it can also pass the
> check. We recommend refining this check to exclusively use CAP_SYSLOG.
> Here's our reasoning for this suggestion:

Again, have you tested this?

thanks,

greg k-h

Next message: Jason-JH Lin (林睿祥): "Re: [PATCH v3 8/9] mailbox: mediatek: Add CMDQ secure mailbox driver"
Previous message: Jason-JH Lin (林睿祥): "Re: [PATCH v3 8/9] mailbox: mediatek: Add CMDQ secure mailbox driver"
In reply to: 孟敬姿: "Suggestion for Capability Check Refinement in check_syslog_permissions()"
Next in thread: Petr Mladek: "Re: Suggestion for Capability Check Refinement in check_syslog_permissions()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]