| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRjjWk9drwY5Db2Zwu1CHw+dxtkMKR6Ovw3pzuHBvieVQ@mail.gmail.com>
Date: Tue, 19 Apr 2016 15:55:33 -0400
From: Paul Moore <paul@...l-moore.com>
To: nicolas.dichtel@...nd.com
Cc: Roopa Prabhu <roopa@...ulusnetworks.com>, netdev@...r.kernel.org,
jhs@...atatu.com, davem@...emloft.net, tgraf@...g.ch,
Stephen Smalley <sds@...ho.nsa.gov>,
Eric Paris <eparis@...isplace.org>
Subject: Re: [PATCH net-next v5] rtnetlink: add new RTM_GETSTATS message to
dump link stats
On Tue, Apr 19, 2016 at 4:26 AM, Nicolas Dichtel
<nicolas.dichtel@...nd.com> wrote:
> + selinux maintainers
>
> Le 18/04/2016 23:10, Roopa Prabhu a écrit :
> [snip]
>>
>> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
>> index 8495b93..1714633 100644
>> --- a/security/selinux/nlmsgtab.c
>> +++ b/security/selinux/nlmsgtab.c
>> @@ -76,6 +76,8 @@ static struct nlmsg_perm nlmsg_route_perms[] =
>> { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>> { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>> + { RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>
> I would say it's NETLINK_ROUTE_SOCKET__NLMSG_READ, not WRITE. This command
> is only sent by the kernel, not by the userland.
>From what I could tell from the patch description, it looks like
RTM_NEWSTATS only dumps stats to userspace and doesn't alter the state
of the kernel, is that correct? If so, then yes, NLMSG__READ is the
right SELinux permission. However, if RTM_NEWSTATS does alter the
state/configuration of the kernel then we should use NLMSG__WRITE.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists