Audit perms check on recv (Re: Two netlink patches)
The attached patch implements the permissions check the way I think
Chris and Stephen were suggesting. It does not yet set the netlink
eff_caps in selinux_netlink_send(). Other than that, does this patch
seem reasonable? Is this preferable to the sender side check? Do
we want to add some audit read checks, and split CAP_AUDIT into two
or three capabilities?
thanks,
-serge
Quoting Stephen Smalley (sds(a)epoch.ncsc.mil):
On Wed, 2004-12-15 at 17:26, Chris Wright wrote:
> I really dislike duplicating code. I agree it should be put in a
> central location. Does it really need to be broken out into the
> security framework? Why not place it in audit itself?
>
> Just a simple helper:
>
> int audit_netlink_ok(struct nlmsghdr *nlh)
> {
> int err = -EINVAL;
>
> if (audit_bad_header(nlh))
> goto out;
>
> err = 0;
> switch() {
> ok:
> break;
> capable:
> if (!capable())
> err = -EPERM;
> break;
> default:
> err = -EINVAL;
> break;
> }
> out:
> return err;
> }
>
> audit_recieve_msg(skb, nlh)
> {
> ...
> err = audit_netlink_ok(nlh);
> if (err)
> return err;
> ...
> }
That is still on the receive path, where you can't use capable() because
it is based on current which isn't necessarily the same as the sender.
Now, it is true that one could replace the existing capable() checks in
the audit code with explicit checks of NETLINK_CREDS(skb)->eff_cap.
That would allow you to keep the checks in the audit receive-side code.
We would need to change selinux_netlink_send to set the entire
capability set rather than just CAP_NET_ADMIN, but that would be easy to
do.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
Attachments:
- audit-permcheck.diff (text/plain — 5.4 KB)