Pablo Neira wrote:

> Chris Wright wrote:
>
>>> With your patch, a message from user space process that doesn't have 
>>> the capabilites follows this path:
>>>
>>> sys_sendmsg() -> netlink_sendmsg() -> netlink_unicast() -> 
>>> netlink_sendskb() = discarded here.
>>>
>>> Currently, it continues, for example in case of rtnetlink:
>>>
>>> ... -> netlink_sendskb() -> sk_data_ready(sk, len) -> 
>>> rtnetlink_rcv() -> rtnetlink_rcv_skb() -> rtnetlink_rcv_msg() = 
>>> discarded here.
>>>
>>> Nowadays the message is enqueued but it's discarded later. So if I'm 
>>> not missing anything, I don't see the point of adding a new function 
>>> to check for capabilities/audit stuff just a bit before.
>>>   
>>
>>
>> The purpose is to guarantee that the checks are done in the sender's
>> context to avoid having to cache values such as capabilities, SELinux
>> SID, audit loginuid.
>>  
>>
>
> Thanks for the explanation. I don't still like so much the new 
> netlink_kernel_create_check function. I think that we could get more 
> variations of netlink_kernel_create in future just to add another 
> feature/checking. So I prefer new function (netlink_kernel_set_check) 
> that set check_sender if it's needed once the netlink socket is 
> created. I've modified your patches to use this function.


Sorry, I'm stupid. Wrong patch.

--
Pablo