| To: | Linux Audit Discussion <linux-audit@xxxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH] Add audit uid to netlink credentials |
| From: | Serge Hallyn <serue@xxxxxxxxxx> |
| Date: | Wed, 09 Feb 2005 08:50:59 -0600 |
| Cc: | netdev@xxxxxxxxxxx, davem@xxxxxxxxxxxxx, kuznet@xxxxxxxxxxxxx |
| In-reply-to: | <1107958621.19262.524.camel@hades.cambridge.redhat.com> |
| References: | <20050204165840.GA2320@IBM-BWN8ZTBWA01.austin.ibm.com> <1107958621.19262.524.camel@hades.cambridge.redhat.com> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Wed, 2005-02-09 at 14:17 +0000, David Woodhouse wrote: > The only time it's possibly worth verifying it is for the case where > userspace is sending AUDIT_USER messages -- for which the process needs > CAP_AUDIT_WRITE anyway. CAP_AUDIT_WRITE is needed, but not CAP_AUDIT_CONTROL, which is needed to set the loginuid. Of course, an LSM could check at security_netlink_send whether the login_uid in the payload is the same as the real loginuid. Otherwise, we're wasting a (very precious) capability bit. In either case, have we decided we don't want it in the netlink credentials after all? thanks, -serge -- Serge Hallyn <serue@xxxxxxxxxx> |
| Previous by Date: | Re: [PATCH] Add audit uid to netlink credentials, Alexey Kuznetsov |
|---|---|
| Next by Date: | Re: [PATCH] Add audit uid to netlink credentials, Alexey Kuznetsov |
| Previous by Thread: | Re: [PATCH] Add audit uid to netlink credentials, David Woodhouse |
| Next by Thread: | Re: [PATCH] Add audit uid to netlink credentials, Stephen Smalley |
| Indexes: | [Date] [Thread] [Top] [All Lists] |