netlink checks are made in wrong place in grsec
Thanks. I contacted Zbyniu, the author of the patch, who has explained its purpose as thus: "1. Grsec checks only CAP_NET_ADMIN for operations via netlink, what is not sufficient for current kernels. Also audit and some scsi operations can be controlled via netlink. Now all caps are calculated. 2. Deny accesses to CAP_NET_ADMIN are reported for all operations even if capability is not required (ie "ip addr show"). Worse - learning mode should add this capability to policies of processes that never require it. Example apache and all postfix programs. Error must be logged in same place where EPERM is returned by kernel." During this exchange, spender was copied in so I'm hoping that he will review the patch prior to a decision being made as to whether to include this in the next hardened patchset.
Looks like upstream took care of this in grsecurity-2.1.11-2.6.24.3-200803172136. Will also be present in initial hardened-sources-2.6.24 release.
Thanks Gordon. Let's fold this into 2.6.23-r9 then.
Created attachment 146472 [details, diff] Re-diffed for 2.6.23 The same patch as referenced by the URL, only re-diffed against 2.6.23 and with some explanatory blurb.
Gordon contributed a (superior) backported patch which is now part of 2.6.23-r9. Closing.