From: Chris Wright <chrisw@sous-sol.org>
To: Patrick McHardy <kaber@trash.net>
Cc: NetDev <netdev@vger.kernel.org>,
dm-devel@redhat.com, "David S. Miller" <davem@davemloft.net>,
Chris Wright <chrisw@sous-sol.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
drbd-dev@lists.linbit.com
Subject: Re: [PATCH 2/2] netlink: kill eff_cap from struct netlink_skb_parms
Date: Thu, 3 Mar 2011 09:32:30 -0800 [thread overview]
Message-ID: <20110303173230.GP4988@sequoia.sous-sol.org> (raw)
In-Reply-To: <4D6F6180.5030903@trash.net>
* Patrick McHardy (kaber@trash.net) wrote:
> commit 8ff259625f0ab295fa085b0718eed13093813fbc
> Author: Patrick McHardy <kaber@trash.net>
> Date: Thu Mar 3 10:17:31 2011 +0100
>
> netlink: kill eff_cap from struct netlink_skb_parms
>
> Netlink message processing in the kernel is synchronous these days,
> capabilities can be checked directly in security_netlink_recv() from
> the current process.
>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
Thanks for doing that Patrick. I looked at this earlier and thought
there was still an async path, but I guess that's just to another
userspace process.
BTW, I think you missed a couple connector based callers:
drivers/staging/pohmelfs/config.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_AD
drivers/video/uvesafb.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
Fix those and:
Acked-by: Chris Wright <chrisw@sous-sol.org>
Ideally, we'd consolidate those into a variant of security_netlink_recv().
However the issue is with types. Inside connector callback we only have
netlink_skb_params (seems inapproriate to cast back out to skb).
We could change the lsm hook to only pass nsp, but SELinux actually
cares about the netlink type. Any ideas?
next prev parent reply other threads:[~2011-03-03 17:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-03 9:38 [PATCH 2/2] netlink: kill eff_cap from struct netlink_skb_parms Patrick McHardy
2011-03-03 10:49 ` James Morris
2011-03-03 17:32 ` Chris Wright [this message]
2011-03-03 18:56 ` David Miller
2011-03-03 20:15 ` [PATCH 2/2 v2] " Chris Wright
2011-03-03 21:39 ` David Miller
[not found] ` <20110303201522.GT4988-JyIX8gxvWYPr2PDY2+4mTGD2FQJk+8+b@public.gmane.org>
2011-03-03 22:37 ` Lars Ellenberg
2011-03-03 23:53 ` [Drbd-dev] " Chris Wright
2011-03-04 1:29 ` Evgeniy Polyakov
2011-03-04 1:38 ` David Miller
2011-03-08 14:50 ` Patrick McHardy
2011-03-08 18:32 ` Evgeniy Polyakov
2011-03-08 18:54 ` Patrick McHardy
2011-03-17 15:43 ` Evgeniy Polyakov
2011-03-03 20:17 ` [PATCH 2/2] " Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110303173230.GP4988@sequoia.sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=davem@davemloft.net \
--cc=dm-devel@redhat.com \
--cc=drbd-dev@lists.linbit.com \
--cc=kaber@trash.net \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox