Re: New audit-perms patch [ Re: Audit perms check on recv ]

On Mon, 2004-12-27 at 17:25, Serge E. Hallyn wrote: Sorry, on second thought, we likely don't want the performance and locking overhead of security_compute_av() imposed on all netlink sends, so I'd suggest the diff below relative to your patch to switch back to using avc_has_perm_noaudit(), but clearing avd.allowed first to ensure a well-defined value even upon error return and casting to void to avoid a warning about ignoring the return value. --- linux-2.6/security/selinux/hooks.c.orig 2004-12-28 07:55:06.526688392 -0500 +++ linux-2.6/security/selinux/hooks.c 2004-12-28 07:56:09.234155408 -0500 @@ -3551,8 +3551,9 @@ static int selinux_netlink_send(struct s tsec = current->security; - security_compute_av(tsec->sid, tsec->sid, SECCLASS_CAPABILITY, ~0, - &avd); + avd.allowed = 0; + (void)avc_has_perm_noaudit(tsec->sid, tsec->sid, + SECCLASS_CAPABILITY, ~0, &avd); cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed); if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) -- Stephen Smalley <sds(a)epoch.ncsc.mil&gt; National Security Agency