Two netlink patches
Serge E. Hallyn
serue at us.ibm.com
Wed Dec 15 22:42:56 UTC 2004
Quoting Stephen Smalley (sds at epoch.ncsc.mil):
> On Wed, 2004-12-15 at 17:05, Serge Hallyn wrote:
> <snip>
> +static int cap_netlink_audit_check (struct sk_buff *skb)
> +{
> + int msgtype = netlink_get_msgtype(skb);
> +
> + switch(msgtype) {
> + case 0: /* not an audit msg */
> +
> + case AUDIT_GET:
> + case AUDIT_LIST:
> + return 0;
> +
> + case AUDIT_SET:
> + case AUDIT_USER:
> + case AUDIT_LOGIN:
> +
> + case AUDIT_ADD:
> + case AUDIT_DEL:
> + if (!capable(CAP_SYS_ADMIN))
> + return -EPERM;
> + return 0;
> +
> + default: /* permission denied: bad msg */
> + return msgtype;
> + }
> <snip>
>
> Shouldn't this function return -EPERM in the default case, not the
> msgtype?
Yes it should, thanks.
> Also, do we truly need separate dummy and commoncap implementations, or
> can capability re-use the dummy function (as long as it internally calls
> the top-level capable function)? Or do you plan on changing that to not
> use the top-level capable function?
I wasn't. Certainly from a capability.ko point of view we would want
PF_SUPERPRIV set if an AUDIT_ADD is done. On the other hand, asking all
security modules to authorize CAP_SYS_ADMIN for the audit role seems
misguided if we eventually want to create a separate audit role.
-serge
More information about the Linux-audit
mailing list