Re: [PATCH 3/5] audit: add netlink audit protocol bind to check capabilities on multicast join
On 14/02/19, Eric Paris wrote:
On Wed, 2014-02-19 at 13:08 -0500, Richard Guy Briggs wrote:
> Register a netlink per-protocol bind fuction for audit to check userspace
> process capabilities before allowing a multicast group connection.
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit.c | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b5b2f72..f2d2d61 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1050,10 +1050,20 @@ static void audit_receive(struct sk_buff *skb)
> mutex_unlock(&audit_cmd_mutex);
> }
>
> +/* Run custom bind function on netlink socket group connect or bind requests. */
> +static int audit_bind(int group)
> +{
> + if (!capable(CAP_AUDIT_READ))
Not a great idea to use CAP_AUDIT_READ before you define it in patch4
<blush>
> + return -EPERM;
> +
> + return 0;
> +}
> +
> static int __net_init audit_net_init(struct net *net)
> {
> struct netlink_kernel_cfg cfg = {
> .input = audit_receive,
> + .bind = audit_bind,
> };
>
> struct audit_net *aunet = net_generic(net, audit_net_id);
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545