Two netlink patches

Serge E. Hallyn serue at us.ibm.com
Wed Dec 15 22:42:56 UTC 2004


Quoting Stephen Smalley (sds at epoch.ncsc.mil):
> On Wed, 2004-12-15 at 17:05, Serge Hallyn wrote:
> <snip>
> +static int cap_netlink_audit_check (struct sk_buff *skb)
> +{
> +	int msgtype = netlink_get_msgtype(skb);
> +
> +	switch(msgtype) {
> +		case 0:  /* not an audit msg */
> +
> +		case AUDIT_GET:
> +		case AUDIT_LIST:
> +			return 0;
> +
> +		case AUDIT_SET:
> +		case AUDIT_USER:
> +		case AUDIT_LOGIN:
> +
> +		case AUDIT_ADD:
> +		case AUDIT_DEL:
> +			if (!capable(CAP_SYS_ADMIN))
> +				return -EPERM;
> +			return 0;
> +
> +		default:  /* permission denied: bad msg */
> +			return msgtype;
> +	}
> <snip>
> 
> Shouldn't this function return -EPERM in the default case, not the
> msgtype?

Yes it should, thanks.

> Also, do we truly need separate dummy and commoncap implementations, or
> can capability re-use the dummy function (as long as it internally calls
> the top-level capable function)?  Or do you plan on changing that to not
> use the top-level capable function?

I wasn't.  Certainly from a capability.ko point of view we would want
PF_SUPERPRIV set if an AUDIT_ADD is done.  On the other hand, asking all
security modules to authorize CAP_SYS_ADMIN for the audit role seems
misguided if we eventually want to create a separate audit role.

-serge




More information about the Linux-audit mailing list