netlink: Capture creds in netlink_connect
This changes the rules for whether netlink requests are considered
capable.
For sendto/sendmsg with an explicit destination, just check whether
the sender has the requested capability.
For a send without an explicit destination, check whether whoever
connected the sending socket had the requested capability. In this
case, we do not check whether the caller has the capability, for
two reasons.
1. Checking is mostly useless: the sender can often redirect some
privileged program's output to the socket, this passing any
check on current creds we could do here.
2. Not checking is useful: programs can open a netlink socket, connect
it, and drop privileges as a way to retain the right to control
the network or whatever else the socket is pointing at.
For magically-connected NETLINK_ROUTE sockets, we check the creator's
capabilities. New applications that don't want socket capabilities
to be captured can connect to AF_UNSPEC to disconnect the socket.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
2 files changed
