Quoting Stephen Smalley (sds(a)epoch.ncsc.mil):
On Wed, 2004-12-15 at 17:05, Serge Hallyn wrote:
<snip>
+static int cap_netlink_audit_check (struct sk_buff *skb)
+{
+ int msgtype = netlink_get_msgtype(skb);
+
+ switch(msgtype) {
+ case 0: /* not an audit msg */
+
+ case AUDIT_GET:
+ case AUDIT_LIST:
+ return 0;
+
+ case AUDIT_SET:
+ case AUDIT_USER:
+ case AUDIT_LOGIN:
+
+ case AUDIT_ADD:
+ case AUDIT_DEL:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ return 0;
+
+ default: /* permission denied: bad msg */
+ return msgtype;
+ }
<snip>
Shouldn't this function return -EPERM in the default case, not the
msgtype?
Yes it should, thanks.
Also, do we truly need separate dummy and commoncap implementations,
or
can capability re-use the dummy function (as long as it internally calls
the top-level capable function)? Or do you plan on changing that to not
use the top-level capable function?
I wasn't. Certainly from a capability.ko point of view we would want
PF_SUPERPRIV set if an AUDIT_ADD is done. On the other hand, asking all
security modules to authorize CAP_SYS_ADMIN for the audit role seems
misguided if we eventually want to create a separate audit role.
-serge