Add audit_check_sender() function for audit netlink messages. This can also
be used to set the loginuid, although I left that off for the moment.
===== kernel/audit.c 1.9 vs edited =====
--- 1.9/kernel/audit.c 2005-01-30 22:33:47 -08:00
+++ edited/kernel/audit.c 2005-02-11 22:25:33 -08:00
@@ -309,27 +309,36 @@ nlmsg_failure: /* Used by NLMSG_PUT */
* Check for appropriate CAP_AUDIT_ capabilities on incoming audit
* control messages.
*/
-static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
+static int audit_check_sender(struct sk_buff *skb)
{
- int err = 0;
+ struct nlmsghdr *nlh;
+ u16 msg_type;
+ int err = -EINVAL;
+ if (skb->len < NLMSG_LENGTH(0))
+ goto out;
+
+ nlh = (struct nlmsghdr *)skb->data;
+ msg_type = nlh->nlmsg_type;
+
+ err = 0;
switch (msg_type) {
case AUDIT_GET:
case AUDIT_LIST:
case AUDIT_SET:
case AUDIT_ADD:
case AUDIT_DEL:
- if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
+ if (!capable(CAP_AUDIT_CONTROL))
err = -EPERM;
break;
case AUDIT_USER:
- if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
+ if (!capable(CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */
err = -EINVAL;
}
-
+out:
return err;
}
@@ -338,14 +347,10 @@ static int audit_receive_msg(struct sk_b
u32 uid, pid, seq;
void *data;
struct audit_status *status_get, status_set;
- int err;
+ int err = 0;
struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type;
- err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
- if (err)
- return err;
-
pid = NETLINK_CREDS(skb)->pid;
uid = NETLINK_CREDS(skb)->uid;
seq = nlh->nlmsg_seq;
@@ -551,7 +556,7 @@ int __init audit_init(void)
{
printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
audit_default ? "enabled" : "disabled");
- audit_sock = netlink_kernel_create(NETLINK_AUDIT, audit_receive);
+ audit_sock = netlink_kernel_create_check(NETLINK_AUDIT, audit_receive,
audit_check_sender);
if (!audit_sock)
audit_panic("cannot initialize netlink socket");
|