Two netlink patches
Stephen Smalley
sds at epoch.ncsc.mil
Thu Dec 16 12:36:44 UTC 2004
On Wed, 2004-12-15 at 17:26, Chris Wright wrote:
> I really dislike duplicating code. I agree it should be put in a
> central location. Does it really need to be broken out into the
> security framework? Why not place it in audit itself?
>
> Just a simple helper:
>
> int audit_netlink_ok(struct nlmsghdr *nlh)
> {
> int err = -EINVAL;
>
> if (audit_bad_header(nlh))
> goto out;
>
> err = 0;
> switch() {
> ok:
> break;
> capable:
> if (!capable())
> err = -EPERM;
> break;
> default:
> err = -EINVAL;
> break;
> }
> out:
> return err;
> }
>
> audit_recieve_msg(skb, nlh)
> {
> ...
> err = audit_netlink_ok(nlh);
> if (err)
> return err;
> ...
> }
That is still on the receive path, where you can't use capable() because
it is based on current which isn't necessarily the same as the sender.
Now, it is true that one could replace the existing capable() checks in
the audit code with explicit checks of NETLINK_CREDS(skb)->eff_cap.
That would allow you to keep the checks in the audit receive-side code.
We would need to change selinux_netlink_send to set the entire
capability set rather than just CAP_NET_ADMIN, but that would be easy to
do.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list