`kernel.dmesg_restrict` not working with `journalctl`

[evict]

Version: 5.0.7.a-2-hardened

When running dmesg, the following occurs when attempting to read the kernel buffer:

Ʋ dmesg                                                                   INSERT
dmesg: read kernel buffer failed: Operation not permitted

journalctl however, is not restricted from reading the buffer:

Ʋ journalctl -k
-- Logs begin at Wed 2018-11-14 13:28:42 CET, end at Thu 2019-04-25 15:13:35 CES>
Apr 23 10:48:49 UNLIGHT kernel: Linux version 5.0.7.a-2-hardened (builduser@jell>
Apr 23 10:48:49 UNLIGHT kernel: Command line: initrd=\initramfs-linux.img cryptd>
Apr 23 10:48:49 UNLIGHT kernel: KERNEL supported cpus:
Apr 23 10:48:49 UNLIGHT kernel:   Intel GenuineIntel
Apr 23 10:48:49 UNLIGHT kernel:   AMD AuthenticAMD
Apr 23 10:48:49 UNLIGHT kernel:   Hygon HygonGenuine
Apr 23 10:48:49 UNLIGHT kernel:   Centaur CentaurHauls
Apr 23 10:48:49 UNLIGHT kernel: x86/fpu: Supporting XSAV

Since systemd-journal uses the sys_admin capability, it is not restricted:

Ʋ pscap | grep journal
1     29264 root        systemd-journal   chown, dac_override,
                                dac_read_search, fowner, setgid, setuid, 
                                sys_ptrace, sys_admin, audit_control, 
                                mac_override, syslog, audit_read

Is there anyway we can restrict journalctl from accessing dmesg? The systemd project recommends removing the user from the systemd-journald group, but that does not work for my installation, as my user is not in that group.

[travier-anssi]

journalctl does not read the kernel buffer directly. It processes the journal files in /var/log/journal/<mahine-id>/.*.journal.

By default, if your user is part of the systemd-journal, adm or wheel groups, it may access those files (see Access Control in systemd-journald(8)).

You may check the groups allowed to read the system journal (and thus dmesg output) using:

$ getfacl /var/log/journal/*/system.journal