[Drbd-dev] [PATCH 2/2] netlink: kill eff_cap from struct netlink_skb_parms

Chris Wright chrisw at sous-sol.org
Thu Mar 3 18:32:30 CET 2011

* Patrick McHardy (kaber at trash.net) wrote:

> commit 8ff259625f0ab295fa085b0718eed13093813fbc
> Author: Patrick McHardy <kaber at trash.net>
> Date:   Thu Mar 3 10:17:31 2011 +0100
>     netlink: kill eff_cap from struct netlink_skb_parms
>     Netlink message processing in the kernel is synchronous these days,
>     capabilities can be checked directly in security_netlink_recv() from
>     the current process.
>     Signed-off-by: Patrick McHardy <kaber at trash.net>

Thanks for doing that Patrick.  I looked at this earlier and thought
there was still an async path, but I guess that's just to another
userspace process.

BTW, I think you missed a couple connector based callers:

drivers/staging/pohmelfs/config.c:      if (!cap_raised(nsp->eff_cap, CAP_SYS_AD
drivers/video/uvesafb.c:        if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))

Fix those and:

Acked-by: Chris Wright <chrisw at sous-sol.org>

Ideally, we'd consolidate those into a variant of security_netlink_recv().
However the issue is with types.  Inside connector callback we only have
netlink_skb_params (seems inapproriate to cast back out to skb).

We could change the lsm hook to only pass nsp, but SELinux actually
cares about the netlink type.  Any ideas?

More information about the drbd-dev mailing list