[PATCH] Add audit uid to netlink credentials
Chris Wright
chrisw at osdl.org
Thu Feb 10 17:14:27 UTC 2005
* Stephen Smalley (sds at epoch.ncsc.mil) wrote:
> On Wed, 2005-02-09 at 19:19, Chris Wright wrote:
> > Then it comes back to the question of how to protect loginuid. If it
> > can be spoofed by someone with CAP_AUDIT_WRITE, then it shouldn't be
> > write protected by CAP_AUDIT_CONTROL.
>
> To be precise, isn't it true that someone with only CAP_AUDIT_WRITE
> would only be able to spoof loginuids in the AUDIT_USER messages they
> generate? The loginuid on any syscall audit messages for the task would
> still be the one associated with the task's audit context, so that would
> not be spoofable.
Yes, that's true.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list