Re: [PATCH RFC 8/8] audit: allow user records to be created inside a container
Aristeu Rozanski <arozansk(a)redhat.com> writes:
Since user events will be followed by namespace information,
userspace
can filter off undesired container records.
I don't think we want to allow any user to write to the audit records,
that is what nsown_capable will allow, as all you would need to do is to
unshare the user namespace to be able to write audit records.
Eric
@@ -597,13 +612,13 @@ static int audit_netlink_ok(struct sk_buff
*skb, u16 msg_type)
case AUDIT_TTY_SET:
case AUDIT_TRIM:
case AUDIT_MAKE_EQUIV:
- if (!capable(CAP_AUDIT_CONTROL))
+ if (!nsown_capable(CAP_AUDIT_CONTROL))
err = -EPERM;
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
- if (!capable(CAP_AUDIT_WRITE))
+ if (!nsown_capable(CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */