Re: [PATCH RFC 8/8] audit: allow user records to be created inside a container

Monday, 18 March 2013

Aristeu Rozanski <arozansk(a)redhat.com&gt; writes:

...
 Since user events will be followed by namespace information,
userspace
 can filter off undesired container records. 
I don't think we want to allow any user to write to the audit records,
that is what nsown_capable will allow, as all you would need to do is to
unshare the user namespace to be able to write audit records.

Eric

...
 @@ -597,13 +612,13 @@ static int audit_netlink_ok(struct sk_buff
*skb, u16 msg_type)
  	case AUDIT_TTY_SET:
  	case AUDIT_TRIM:
  	case AUDIT_MAKE_EQUIV:
 -		if (!capable(CAP_AUDIT_CONTROL))
 +		if (!nsown_capable(CAP_AUDIT_CONTROL))
  			err = -EPERM;
  		break;
  	case AUDIT_USER:
  	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
  	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
 -		if (!capable(CAP_AUDIT_WRITE))
 +		if (!nsown_capable(CAP_AUDIT_WRITE))
  			err = -EPERM;
  		break;
  	default:  /* bad msg */ 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004