Re: [PATCH audit-next 2/2] Audit: make audit netlink socket net namespace unaware
Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
Add a compare function which always return true for
audit netlink socket, this will cause audit netlink
sockets netns unaware, and no matter which netns the
user space audit netlink sockets belong to, they all
can find out and communicate with audit_sock.
This gets rid of the necessary to create per-netns
audit kernel side socket(audit_sock), it's pain to
depend on and get reference of netns for auditns.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
So whereas before you could prevent a task from spamming
audit by putting it into a private netns, now you have to
do it using a user namespace (to prevent capable(CAP_AUDIT_WRITE))
right?
I don't know that anyone is depending on that, in any case, but
it's a change.
Is this building up to something?
---
kernel/audit.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index b62153a..2ac6212 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1064,12 +1064,18 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+static bool audit_compare(struct net *net, struct sock *sk)
+{
+ return true;
+}
+
/* Initialize audit support at boot time. */
static int __init audit_init(void)
{
int i;
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
+ .compare = audit_compare,
};
if (audit_initialized == AUDIT_DISABLED)
--
1.8.4.2
_______________________________________________
Containers mailing list
Containers(a)lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers