[PATCH] Add audit uid to netlink credentials
Stephen Smalley
sds at epoch.ncsc.mil
Thu Feb 10 12:40:17 UTC 2005
On Wed, 2005-02-09 at 19:19, Chris Wright wrote:
> Then it comes back to the question of how to protect loginuid. If it
> can be spoofed by someone with CAP_AUDIT_WRITE, then it shouldn't be
> write protected by CAP_AUDIT_CONTROL.
To be precise, isn't it true that someone with only CAP_AUDIT_WRITE
would only be able to spoof loginuids in the AUDIT_USER messages they
generate? The loginuid on any syscall audit messages for the task would
still be the one associated with the task's audit context, so that would
not be spoofable.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list