Re: Low-level network hooks and rtnetlink

From: Stephen Smalley (sdsat_private)
Date: Thu Aug 02 2001 - 13:19:53 PDT

  • Next message: jmjonesat_private: "LSMEXAMPLE.C.V0.7"

    On Fri, 3 Aug 2001, James Morris wrote:
    > However, things become more complicated if the kernel is configured with
    > rtnetlink enabled.  This is a separate mechanism for managing the same set
    > of objects (see rtnetlink(7)), as well as a few others which may also need
    > access/audit hooks for some implementations.
    One other observation on this topic:  Notice that LSM has a hook in the
    capable() function.  So assuming that the existing capable() calls provide
    a consistent control over access to the routing table regardless of
    whether you use a rtnetlink socket or an ioctl call, then a security
    module also can provide a consistent control by performing its checking
    in the capable() hook.  The only limitation of this approach is that the
    capabilities are fairly coarse-grained (CAP_NET_ADMIN, in this case)
    and cannot take into account other parameters.  
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 13:21:37 PDT