On Tue, Apr 19, 2016 at 4:26 AM, Nicolas Dichtel
<nicolas.dich...@6wind.com> wrote:
> + selinux maintainers
>
> Le 18/04/2016 23:10, Roopa Prabhu a écrit :
> [snip]
>>
>> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
>> index 8495b93..1714633 100644
>> --- a/security/selinux/nlmsgtab.c
>> +++ b/security/selinux/nlmsgtab.c
>> @@ -76,6 +76,8 @@ static struct nlmsg_perm nlmsg_route_perms[] =
>> { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>> { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>> + { RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>
> I would say it's NETLINK_ROUTE_SOCKET__NLMSG_READ, not WRITE. This command
> is only sent by the kernel, not by the userland.
>From what I could tell from the patch description, it looks like
RTM_NEWSTATS only dumps stats to userspace and doesn't alter the state
of the kernel, is that correct? If so, then yes, NLMSG__READ is the
right SELinux permission. However, if RTM_NEWSTATS does alter the
state/configuration of the kernel then we should use NLMSG__WRITE.
--
paul moore
www.paul-moore.com
