10:16 a.m.
Attached is a new patch to introduce CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE. Thank you all for the clarifications on appropriate
caps.
Purpose: Audit message authentication is being done on the process
receiving the message, which may not be the process sending the message.
This patch sets the sk_buff eff_caps according to the sender
permissions, and authenticates audit message handling based on that. It
also switches from using CAP_SYS_ADMIN to using AUDIT capabilities.
Changelog:
12-20-2005: Switch from CAP_[SYS,NET]_ADMIN to AUDIT capabilities.
12-27-2005: Use dummy_capget in dummy_netlink_send, and correctly mask
the skb's eff_cap according to selinux perms.
12-28-2005: Use avc_has_perm_noaudit in selinux_netlink_send to use
cached decisions.
01-06-2005: Switch to using CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE.
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>
4:32 p.m.
Serge Hallyn wrote:
Attached is a new patch to introduce CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE. Thank you all for the clarifications on appropriate
caps.
Sorry for the delay on this response. At least this comment is not of great
importance :)
It seems that netlink_get_msgtype is not really needed here. The type is
already available in audit_receive_msg and can be passed to audit_netlink_ok;
and the length checks performed by netlink_get_msgtype will never catch a
failure because the same checks are already done by audit_receive_skb. Removing
this function would remove the need to modify the netlink.h and af_netlink.c files.
--
Darrel
9:29 p.m.
The idea of exporting netlink_get_msgtype was that LSMs which want
to implement finer grained controls than the capabilities, could
do so using netlink_get_msgtype at security_netlink_send().
-serge
Quoting Darrel Goeddel (dgoeddel(a)trustedcs.com):
Serge Hallyn wrote:
>Attached is a new patch to introduce CAP_AUDIT_CONTROL and
>CAP_AUDIT_WRITE. Thank you all for the clarifications on appropriate
>caps.
>
Sorry for the delay on this response. At least this comment is not of
great importance :)
It seems that netlink_get_msgtype is not really needed here. The type is
already available in audit_receive_msg and can be passed to
audit_netlink_ok; and the length checks performed by netlink_get_msgtype
will never catch a failure because the same checks are already done by
audit_receive_skb. Removing this function would remove the need to modify
the netlink.h and af_netlink.c files.
--
Darrel
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
2:38 p.m.
On Fri, 2005-01-07 at 11:16, Serge Hallyn wrote:
Attached is a new patch to introduce CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE. Thank you all for the clarifications on appropriate
caps.
Purpose: Audit message authentication is being done on the process
receiving the message, which may not be the process sending the message.
This patch sets the sk_buff eff_caps according to the sender
permissions, and authenticates audit message handling based on that. It
also switches from using CAP_SYS_ADMIN to using AUDIT capabilities.
Changelog:
12-20-2005: Switch from CAP_[SYS,NET]_ADMIN to AUDIT capabilities.
12-27-2005: Use dummy_capget in dummy_netlink_send, and correctly mask
the skb's eff_cap according to selinux perms.
12-28-2005: Use avc_has_perm_noaudit in selinux_netlink_send to use
cached decisions.
01-06-2005: Switch to using CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE.
Any reason this hasn't been submitted upstream?
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
5:23 p.m.
Quoting Stephen Smalley (sds(a)epoch.ncsc.mil):
On Fri, 2005-01-07 at 11:16, Serge Hallyn wrote:
> Attached is a new patch to introduce CAP_AUDIT_CONTROL and
> CAP_AUDIT_WRITE. Thank you all for the clarifications on appropriate
> caps.
>
> Purpose: Audit message authentication is being done on the process
> receiving the message, which may not be the process sending the message.
> This patch sets the sk_buff eff_caps according to the sender
> permissions, and authenticates audit message handling based on that. It
> also switches from using CAP_SYS_ADMIN to using AUDIT capabilities.
>
> Changelog:
> 12-20-2005: Switch from CAP_[SYS,NET]_ADMIN to AUDIT capabilities.
> 12-27-2005: Use dummy_capget in dummy_netlink_send, and correctly mask
> the skb's eff_cap according to selinux perms.
> 12-28-2005: Use avc_has_perm_noaudit in selinux_netlink_send to use
> cached decisions.
> 01-06-2005: Switch to using CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE.
Any reason this hasn't been submitted upstream?
Only that I was waiting for feedback.
Do you think we should keep the netlink_get_msgtype function, or get rid
of it (and perhaps get away with not mailing net-devel :)?
thanks,
-serge
6:40 a.m.
On Thu, 2005-01-13 at 18:23, Serge E. Hallyn wrote:
Only that I was waiting for feedback.
Do you think we should keep the netlink_get_msgtype function, or get rid
of it (and perhaps get away with not mailing net-devel :)?
Doesn't matter to me either way, and it would simplify the patch I
suppose.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
7282
days inactive
7289
days old
linux-audit@lists.linux-audit.osci.io
5 comments
4 participants
participants (4)
-
Darrel Goeddel -
Serge E. Hallyn -
Serge Hallyn
-
Stephen Smalley