On 4/19/16, 12:55 PM, Paul Moore wrote:
> On Tue, Apr 19, 2016 at 4:26 AM, Nicolas Dichtel
> <nicolas.dich...@6wind.com> wrote:
>> + selinux maintainers
>>
>> Le 18/04/2016 23:10, Roopa Prabhu a écrit :
>> [snip]
>>> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
>>> index 8495b93..1714633 100644
>>> --- a/security/selinux/nlmsgtab.c
>>> +++ b/security/selinux/nlmsgtab.c
>>> @@ -76,6 +76,8 @@ static struct nlmsg_perm nlmsg_route_perms[] =
>>> { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>>> { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>>> { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
>>> + { RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
>> I would say it's NETLINK_ROUTE_SOCKET__NLMSG_READ, not WRITE. This command
>> is only sent by the kernel, not by the userland.
> From what I could tell from the patch description, it looks like
> RTM_NEWSTATS only dumps stats to userspace and doesn't alter the state
> of the kernel, is that correct? If so, then yes, NLMSG__READ is the
> right SELinux permission. However, if RTM_NEWSTATS does alter the
> state/configuration of the kernel then we should use NLMSG__WRITE.
>
okay, will change it to READ in the next version,
thanks.
