On Wed, 2004-12-15 at 17:26, Chris Wright wrote:
I really dislike duplicating code. I agree it should be put in a
central location. Does it really need to be broken out into the
security framework? Why not place it in audit itself?
Just a simple helper:
int audit_netlink_ok(struct nlmsghdr *nlh)
{
int err = -EINVAL;
if (audit_bad_header(nlh))
goto out;
err = 0;
switch() {
ok:
break;
capable:
if (!capable())
err = -EPERM;
break;
default:
err = -EINVAL;
break;
}
out:
return err;
}
audit_recieve_msg(skb, nlh)
{
...
err = audit_netlink_ok(nlh);
if (err)
return err;
...
}
That is still on the receive path, where you can't use capable() because
it is based on current which isn't necessarily the same as the sender.
Now, it is true that one could replace the existing capable() checks in
the audit code with explicit checks of NETLINK_CREDS(skb)->eff_cap.
That would allow you to keep the checks in the audit receive-side code.
We would need to change selinux_netlink_send to set the entire
capability set rather than just CAP_NET_ADMIN, but that would be easy to
do.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency