netdev
[Top] [All Lists]

Re: [PATCH] Add audit uid to netlink credentials

To: Linux Audit Discussion <linux-audit@xxxxxxxxxx>
Subject: Re: [PATCH] Add audit uid to netlink credentials
From: Serge Hallyn <serue@xxxxxxxxxx>
Date: Wed, 09 Feb 2005 08:50:59 -0600
Cc: netdev@xxxxxxxxxxx, davem@xxxxxxxxxxxxx, kuznet@xxxxxxxxxxxxx
In-reply-to: <1107958621.19262.524.camel@xxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <20050204165840.GA2320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1107958621.19262.524.camel@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
On Wed, 2005-02-09 at 14:17 +0000, David Woodhouse wrote:
> The only time it's possibly worth verifying it is for the case where
> userspace is sending AUDIT_USER messages -- for which the process needs
> CAP_AUDIT_WRITE anyway.

CAP_AUDIT_WRITE is needed, but not CAP_AUDIT_CONTROL, which is needed to
set the loginuid.  Of course, an LSM could check at
security_netlink_send whether the login_uid in the payload is the same
as the real loginuid.  Otherwise, we're wasting a (very precious)
capability bit.

In either case, have we decided we don't want it in the netlink
credentials after all?

thanks,
-serge 
-- 
Serge Hallyn <serue@xxxxxxxxxx>


<Prev in Thread] Current Thread [Next in Thread>