From: Serge Hallyn <serge.hallyn@ubuntu.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Serge Hallyn <serge.hallyn@canonical.com>,
"David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH 2/2] net: Use ns_capable_noaudit() when determining net sysctl permissions
Date: Mon, 9 May 2016 04:24:20 +0000 [thread overview]
Message-ID: <20160509042420.GB22508@ubuntumail> (raw)
In-Reply-To: <1462575854-4301-3-git-send-email-tyhicks@canonical.com>
Quoting Tyler Hicks (tyhicks@canonical.com):
> The capability check should not be audited since it is only being used
> to determine the inode permissions. A failed check does not indicate a
> violation of security policy but, when an LSM is enabled, a denial audit
> message was being generated.
>
> The denial audit message caused confusion for some application authors
> because root-running Go applications always triggered the denial. To
> prevent this confusion, the capability check in net_ctl_permissions() is
> switched to the noaudit variant.
>
> BugLink: https://launchpad.net/bugs/1465724
>
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> ---
> net/sysctl_net.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sysctl_net.c b/net/sysctl_net.c
> index ed98c1f..46a71c7 100644
> --- a/net/sysctl_net.c
> +++ b/net/sysctl_net.c
> @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ctl_table_header *head,
> kgid_t root_gid = make_kgid(net->user_ns, 0);
>
> /* Allow network administrator to have same access as root. */
> - if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
> + if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN) ||
> uid_eq(root_uid, current_euid())) {
> int mode = (table->mode >> 6) & 7;
> return (mode << 6) | (mode << 3) | mode;
> --
> 2.7.4
>
next prev parent reply other threads:[~2016-05-09 4:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-06 23:04 [PATCH 0/2] Quiet noisy LSM denial when accessing net sysctl Tyler Hicks
2016-05-06 23:04 ` [PATCH 1/2] kernel: Add noaudit variant of ns_capable() Tyler Hicks
2016-05-09 4:23 ` Serge Hallyn
2016-05-06 23:04 ` [PATCH 2/2] net: Use ns_capable_noaudit() when determining net sysctl permissions Tyler Hicks
2016-05-09 4:24 ` Serge Hallyn [this message]
2016-05-09 3:56 ` [PATCH 0/2] Quiet noisy LSM denial when accessing net sysctl David Miller
2016-05-17 14:13 ` Tyler Hicks
2016-06-02 16:30 ` Tyler Hicks
2016-06-03 1:00 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160509042420.GB22508@ubuntumail \
--to=serge.hallyn@ubuntu.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).