On Monday, December 15, 2014 02:33:36 PM Richard Guy Briggs wrote:
On 14/12/15, Paul Moore wrote:
> On Monday, December 15, 2014 01:51:52 PM Eric Paris wrote:
> > On Mon, 2014-12-15 at 13:50 -0500, Richard Guy Briggs wrote:
> > > On 14/12/15, Eric Paris wrote:
> > > > Lets say I and in the non-init pid namespace.
> > > >
> > > > I run audictl -a exit,always -S all -F pid=1
> > >
> > > That's easy (for now). Line 675 of kernel/audit.c in
> > > audit_netlink_ok()
> > >
> > > called from audit_receive_msg() will prevent that with:
> > > if ((task_active_pid_ns(current) != &init_pid_ns))
> > >
> > > return -EPERM;
> > >
> > > > Is the audit system going to show records for what I think is pid=1
> > > > or
> > > > what the initial pid namespace thinks is pid=1 ?
> >
> > ACK from me then.
>
> Okay, thanks. Anybody else want to jump on the Ack/Review bandwagon?
Guess I should have added some text about that... Add whichever you
feel is most appropriate (Ack/Review/Signed...)
I'll add your Reviewed-by tag then. Thanks.
I suppose everyone is different, but I *really* like seeing "Reviewed-by" and
"Tested-by" tags on a patch since it indicates that someone who is not the
patch author has looked at and/or tested the code separately and found it to
be good.
To me Acked-by usually just means that the maintainer, or someone important to
the effort, gave it a passing glance a said "ok". Ack's are important, but
I
give a higher weight to the reviewed and tested tags.
--
paul moore
security and virtualization @ redhat