Re: [PATCH] LSM hooks for audit

Sorry, I wasn't thinking in my initial response. These operations are exported via netlink, which is async, right? Hence, permission checks based on current, including the existing capable() checks, are bogus; you would be checking in the receiving context, not necessarily the sending context. Sending context is not conveyed at present via netlink_skb_parms (no security field) other than uid and capability set. You can performs check upon netlink_send; see what SELinux does there. SELinux policy already governs ability to create and use netlink_audit_sockets and maps the netlink operations to read or write flows, but doesn't offer any finer granularity than that. -- Stephen Smalley <sds(a)epoch.ncsc.mil&gt; National Security Agency