On Mon, 2013-07-08 at 16:34 -0400, Steve Grubb wrote:
On Friday, May 24, 2013 12:11:50 PM Eric Paris wrote:
> This adds a new 'audit_feature' bit which allows userspace to set it
> such that the loginuid is absolutely immutable, even if you have
> CAP_AUDIT_CONTROL.
I'm also not sure I like it done this way. What I was thinking about is that
we should set this at boot so that no matter what happens during boot, the
policy is for setting loginuid cannot be messed with. We really do not want
this to be changeable after the system comes up. I'd much rather see this as
audit=4 on the boot prompt (meaning enabled and immutable). This way its clear
to everyone that it can only be changed by rebooting the system and the policy
is in effect for the duration of the session.
Linus has explicitly said the kernel command line options are only
acceptable if they are required for kernel functionality before they can
be set by userspace. If we don't trust the audit system initialization
we already lost and no amount of audit= is going to change that. Since
there is absolutely no benefit to setting this on the kernel command
line, before we can parse and use the audit.rules, I can not make this
yet another archaic command line option. I'm sorry, but this just
cannot happen...