net_admin audit for setsockopt SO_SNDBUFFORCE

cgzones Tue, 21 Mar 2017 08:22:11 -0700

Hi list,
this thread[1] about setsockopt(...,...,SO_SNDBUFFORCE), which
triggers widely due to systemd, let me think about the recent SELinux
kernel fixes: the reordering of dac_read_search and dac_override and
also the cap_wake_alarm fix.


Would it make sense to test, if the send buffer is really set to a
higher value than wmem_max, before testing for the cap_net_admin
permission[2]?
(might also apply to SO_RCVBUFFORCE)

Best regards,
    Christian Göttsche


[1] http://oss.tresys.com/pipermail/refpolicy/2017-March/009185.html
[2] 
https://github.com/torvalds/linux/blob/ae50dfd61665086e617cc9e554a1285d52765670/net/core/sock.c#L715


p.s.: friendly ping on https://marc.info/?l=selinux&m=148944677530753&w=2

_______________________________________________
Selinux mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to [email protected].

net_admin audit for setsockopt SO_SNDBUFFORCE

Reply via email to