---

yaml
---
r: 227795
b: refs/heads/master
c: 38ef4c2
h: refs/heads/master
i:
  227793: 95e7c87
  227791: 5f3a391
v: v3

[refs]

@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 5c6d1125f8dbd1bfef39e38fbc2837003be78a59
+refs/heads/master: 38ef4c2e437d11b5922723504b62824e96761459

trunk/Documentation/sysctl/kernel.txt

@@ -219,7 +219,7 @@ dmesg_restrict:
 This toggle indicates whether unprivileged users are prevented from using
 dmesg(8) to view messages from the kernel's log buffer.  When
 dmesg_restrict is set to (0) there are no restrictions.  When
-dmesg_restrict is set set to (1), users must have CAP_SYS_ADMIN to use
+dmesg_restrict is set set to (1), users must have CAP_SYSLOG to use
 dmesg(8).
 
 The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default

trunk/kernel/printk.c

@@ -279,18 +279,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
 	 * at open time.
 	 */
 	if (type == SYSLOG_ACTION_OPEN || !from_file) {
-		if (dmesg_restrict && !capable(CAP_SYS_ADMIN))
-			return -EPERM;
+		if (dmesg_restrict && !capable(CAP_SYSLOG))
+			goto warn; /* switch to return -EPERM after 2.6.39 */
 		if ((type != SYSLOG_ACTION_READ_ALL &&
 		     type != SYSLOG_ACTION_SIZE_BUFFER) &&
-		    !capable(CAP_SYSLOG)) {
-			/* remove after 2.6.38 */
-			if (capable(CAP_SYS_ADMIN))
-				WARN_ONCE(1, "Attempt to access syslog with "
-				  "CAP_SYS_ADMIN but no CAP_SYSLOG "
-				  "(deprecated and denied).\n");
-			return -EPERM;
-		}
+		    !capable(CAP_SYSLOG))
+			goto warn; /* switch to return -EPERM after 2.6.39 */
 	}
 
 	error = security_syslog(type);
@@ -434,6 +428,12 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
 	}
 out:
 	return error;
+warn:
+	/* remove after 2.6.39 */
+	if (capable(CAP_SYS_ADMIN))
+		WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
+		  "but no CAP_SYSLOG (deprecated and denied).\n");
+	return -EPERM;
 }
 
 SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)