> I agree with your approach of ignoring xperms on generic netlink sockets, > it seems like the only sane thing we can do, but aren't we always going > to fail a SECCLASS_NETLINK_GENERIC_SOCKET check here? It looks like > selinux_nlmsg_lookup() is going to return -ENOENT in the case of > SECCLASS_NETLINK_GENERIC_SOCKET which means we never hit this chunk of > code if we are checking a genetlink socket. If selinux_nlmsg_lookup() > returns zero, I believe we only need to check if the policy capability > is enabled before doing the xperm processing. > > ... or am I missing something? No, you are absolutely right. Let me send an updated version with that part removed. I'll also remove the comment but add a new comment within selinux_nlmsg_lookup. Thanks.
