Re: [PATCH ghak90 V9 13/13] audit: add capcontid to set contid outside init_user_ns

Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a process in a non-init user namespace the capability to set audit container identifiers of individual children. Provide the /proc/$PID/audit_capcontid interface to capcontid. Valid values are: 1==enabled, 0==disabled Writing a "1" to this special file for the target process $PID will enable the target process to set audit container identifiers of its descendants. A process must already have CAP_AUDIT_CONTROL in the initial user namespace or have had audit_capcontid enabled by a previous use of this feature by its parent on this process in order to be able to enable it for another process. The target process must be a descendant of the calling process. Report this action in new message type AUDIT_SET_CAPCONTID 1022 with fields opid= capcontid= old-capcontid= Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- fs/proc/base.c | 57 +++++++++++++++++++++++++++++++++++++++++++++- include/linux/audit.h | 14 ++++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 38 ++++++++++++++++++++++++++++++- 4 files changed, 108 insertions(+), 2 deletions(-)