On Sat, 2005-02-12 at 16:41, Pablo Neira wrote:
> With your patch, a message from user space process that doesn't have the
> capabilites follows this path:
>
> sys_sendmsg() -> netlink_sendmsg() -> netlink_unicast() ->
> netlink_sendskb() = discarded here.
>
> Currently, it continues, for example in case of rtnetlink:
>
> ... -> netlink_sendskb() -> sk_data_ready(sk, len) -> rtnetlink_rcv() ->
> rtnetlink_rcv_skb() -> rtnetlink_rcv_msg() = discarded here.
>
> Nowadays the message is enqueued but it's discarded later. So if I'm not
> missing anything, I don't see the point of adding a new function to
> check for capabilities/audit stuff just a bit before.
Two reasons:
1) The sender-side checks allow checking (and auditing) based on the
current task's credentials, vs. having to save the information in the
netlink_skb_parms for use on the receiver side.
2) Performing the check up front at send time allows the kernel to
reject it early and reduce extraneous processing / resource consumption
by unauthorized processes.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
|