Re: [PATCH RFC] audit: provide namespace information in user originated records
Quoting Aristeu Rozanski (arozansk(a)redhat.com):
This is a bit fuzzy to me, perhaps due I'm not fully
understanding
userns implementation yet, so bear with me:
I thought of changing so userns would not grant CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL unless the process already has it (i.e. it'd require
Seems like CAP_AUDIT_WRITE should be targeted against the
skb->netns->userns. Then CAP_AUDIT_WRITE can be treated like any other
capability. Last I knew (long time ago) you had to be in init_user_ns
to talk audit, but that's ok - this would just do the right thing in
any case.
-serge