audit: add netlink audit protocol bind to check capabilities on multicast join (3a101b8d) · Commits · e / devices / android_kernel_oneplus_sm7250

include/uapi/linux/capability.h

+6 −1

Original line number	Diff line number	Diff line
		@@ -347,7 +347,12 @@ struct vfs_cap_data {

		#define CAP_BLOCK_SUSPEND 36

		#define CAP_LAST_CAP CAP_BLOCK_SUSPEND
		/* Allow reading the audit log via multicast netlink socket */

		#define CAP_AUDIT_READ 37


		#define CAP_LAST_CAP CAP_AUDIT_READ

		#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)

+10 −0

Original line number	Diff line number	Diff line
		@@ -1076,10 +1076,20 @@ static void audit_receive(struct sk_buff *skb)
		mutex_unlock(&audit_cmd_mutex);
		}

		/* Run custom bind function on netlink socket group connect or bind requests. */
		static int audit_bind(int group)
		{
		if (!capable(CAP_AUDIT_READ))
		return -EPERM;

		return 0;
		}

		static int __net_init audit_net_init(struct net *net)
		{
		struct netlink_kernel_cfg cfg = {
		.input = audit_receive,
		.bind = audit_bind,
		};

		struct audit_net *aunet = net_generic(net, audit_net_id);

+1 −1

Original line number	Diff line number	Diff line
		@@ -147,7 +147,7 @@ struct security_class_mapping secclass_map[] = {
		{ "peer", { "recv", NULL } },
		{ "capability2",
		{ "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
		NULL } },
		"audit_read", NULL } },
		{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
		{ "tun_socket",
		{ COMMON_SOCK_PERMS, "attach_queue", NULL } },