Re: [PATCH] Add audit uid to netlink credentials
On Wed, 2005-02-09 at 19:19, Chris Wright wrote:
Then it comes back to the question of how to protect loginuid. If
it
can be spoofed by someone with CAP_AUDIT_WRITE, then it shouldn't be
write protected by CAP_AUDIT_CONTROL.
To be precise, isn't it true that someone with only CAP_AUDIT_WRITE
would only be able to spoof loginuids in the AUDIT_USER messages they
generate? The loginuid on any syscall audit messages for the task would
still be the one associated with the task's audit context, so that would
not be spoofable.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency