On Wed, 2006-31-05 at 15:06 +0200, Thomas Graf wrote: > * jamal <[EMAIL PROTECTED]> 2006-05-31 08:20 > > The challenge is how to inform SELinux of these permissions. > > The access limit could be done by putting a SELinux hook at the time the > > skb gets to the generic netlink code? > > Note: There's actually two things that can be classified for access > > control, the genl family as well as the ops. > > We already have the flag GENL_ADMIN_PERM which when set for a > struct genl_ops calls security_netlink_recv(). It's not as > fine grained as it could be though.
To also answer your other email: Look at security/selinux/nlmsgtab.c for example for NETLINK_ROUTE and compare with NETLINK_GENERIC to see the hole. I was suggesting if we started by just adding checks for NETLINK_GENERIC first in those tables (currently lacking), that would be a good start. > The point is that adding > fine grained SELinux support is no problem and even easier than > for casual netlink families. > indeed. And it would be the first to check for a lot more fine graining than exists today. If you look at security/selinux/nlmsgtab.c (after we add checks for NETLINK_GENERIC) then it seems hard to just "hardcode" all commands and families/ids in there because the idea is people could even be doing this via modules. Not sure if that made sense. > the important point is that for genetlink we already have > a point where we peek at the attributes and adding a hook is > trivial unlike for other netlink families where they'd have to be > spread in the code. nod. cheers, jamal - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
