diff -up ./Documentation/sysctl/kernel.txt.dr ./Documentation/sysctl/kernel.txt --- ./Documentation/sysctl/kernel.txt.dr 2012-07-31 07:35:45.000000000 -0400 +++ ./Documentation/sysctl/kernel.txt 2012-07-31 08:31:06.000000000 -0400 @@ -141,9 +141,9 @@ This toggle indicates whether unprivileg dmesg(8) to view messages from the kernel's log buffer. When dmesg_restrict is set to 0 there are no restrictions. When dmesg_restrict is set to 1, users must have CAP_SYS_ADMIN to use -dmesg(8) on the hardware node and CAP_VE_SYS_ADMIN in containers -(so that the in-container root may view that container's kernel -messages such as from iptables). +dmesg(8) on the hardware node. +Inside containers dmesg_restrict is ignored becasue virtualized dmesg buffer +contains safe kernel messages only. The kernel config option CONFIG_SECURITY_DMESG_RESTRICT sets the default value of dmesg_restrict.