aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Guy Briggs <rgb@redhat.com>2014-04-22 21:31:56 -0400
committerDavid S. Miller <davem@davemloft.net>2014-04-22 21:42:27 -0400
commit3a101b8de0d39403b2c7e5c23fd0b005668acf48 (patch)
treeb7bce9802ac01cfeb96167d3bdc14b90703b9672
parent7774d5e03f4a41ec7c1e736acc108f112003bb4a (diff)
audit: add netlink audit protocol bind to check capabilities on multicast join
Register a netlink per-protocol bind fuction for audit to check userspace process capabilities before allowing a multicast group connection. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--include/uapi/linux/capability.h7
-rw-r--r--kernel/audit.c10
-rw-r--r--security/selinux/include/classmap.h2
3 files changed, 17 insertions, 2 deletions
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 154dd6d3c8fe..12c37a197d24 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -347,7 +347,12 @@ struct vfs_cap_data {
347 347
348#define CAP_BLOCK_SUSPEND 36 348#define CAP_BLOCK_SUSPEND 36
349 349
350#define CAP_LAST_CAP CAP_BLOCK_SUSPEND 350/* Allow reading the audit log via multicast netlink socket */
351
352#define CAP_AUDIT_READ 37
353
354
355#define CAP_LAST_CAP CAP_AUDIT_READ
351 356
352#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) 357#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
353 358
diff --git a/kernel/audit.c b/kernel/audit.c
index 7c2893602d06..223cb746f141 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1076,10 +1076,20 @@ static void audit_receive(struct sk_buff *skb)
1076 mutex_unlock(&audit_cmd_mutex); 1076 mutex_unlock(&audit_cmd_mutex);
1077} 1077}
1078 1078
1079/* Run custom bind function on netlink socket group connect or bind requests. */
1080static int audit_bind(int group)
1081{
1082 if (!capable(CAP_AUDIT_READ))
1083 return -EPERM;
1084
1085 return 0;
1086}
1087
1079static int __net_init audit_net_init(struct net *net) 1088static int __net_init audit_net_init(struct net *net)
1080{ 1089{
1081 struct netlink_kernel_cfg cfg = { 1090 struct netlink_kernel_cfg cfg = {
1082 .input = audit_receive, 1091 .input = audit_receive,
1092 .bind = audit_bind,
1083 }; 1093 };
1084 1094
1085 struct audit_net *aunet = net_generic(net, audit_net_id); 1095 struct audit_net *aunet = net_generic(net, audit_net_id);
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 14d04e63b1f0..be491a74c1ed 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -147,7 +147,7 @@ struct security_class_mapping secclass_map[] = {
147 { "peer", { "recv", NULL } }, 147 { "peer", { "recv", NULL } },
148 { "capability2", 148 { "capability2",
149 { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", 149 { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
150 NULL } }, 150 "audit_read", NULL } },
151 { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 151 { "kernel_service", { "use_as_override", "create_files_as", NULL } },
152 { "tun_socket", 152 { "tun_socket",
153 { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 153 { COMMON_SOCK_PERMS, "attach_queue", NULL } },
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-09 17:36:18 -0400