Chris Wright wrote:

>>With your patch, a message from user space process that doesn't have the 
>>capabilites follows this path:
>>
>>sys_sendmsg() -> netlink_sendmsg() -> netlink_unicast() -> 
>>netlink_sendskb() = discarded here.
>>
>>Currently, it continues, for example in case of rtnetlink:
>>
>>... -> netlink_sendskb() -> sk_data_ready(sk, len) -> rtnetlink_rcv() -> 
>>rtnetlink_rcv_skb() -> rtnetlink_rcv_msg() = discarded here.
>>
>>Nowadays the message is enqueued but it's discarded later. So if I'm not 
>>missing anything, I don't see the point of adding a new function to 
>>check for capabilities/audit stuff just a bit before.
>>    
>>
>
>The purpose is to guarantee that the checks are done in the sender's
>context to avoid having to cache values such as capabilities, SELinux
>SID, audit loginuid.
>  
>

Thanks for the explanation. I don't still like so much the new 
netlink_kernel_create_check function. I think that we could get more 
variations of netlink_kernel_create in future just to add another 
feature/checking. So I prefer new function (netlink_kernel_set_check) 
that set check_sender if it's needed once the netlink socket is created. 
I've modified your patches to use this function.

Comments welcome.

--
Pablo