[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] Add audit uid to netlink credentials



On Wed, 2005-02-09 at 14:17 +0000, David Woodhouse wrote:
> The only time it's possibly worth verifying it is for the case where
> userspace is sending AUDIT_USER messages -- for which the process needs
> CAP_AUDIT_WRITE anyway.

CAP_AUDIT_WRITE is needed, but not CAP_AUDIT_CONTROL, which is needed to
set the loginuid.  Of course, an LSM could check at
security_netlink_send whether the login_uid in the payload is the same
as the real loginuid.  Otherwise, we're wasting a (very precious)
capability bit.

In either case, have we decided we don't want it in the netlink
credentials after all?

thanks,
-serge 
-- 
Serge Hallyn <serue us ibm com>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]