lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 1 Apr 2014 15:07:21 +1100
From:	Stephen Rothwell <sfr@...b.auug.org.au>
To:	Eric Paris <eparis@...hat.com>
Cc:	linux-next@...r.kernel.org, linux-kernel@...r.kernel.org,
	Richard Guy Briggs <rgb@...hat.com>
Subject: linux-next: manual merge of the audit tree with Linus' tree

Hi Eric,

Today's linux-next merge of the audit tree got a conflict in
kernel/audit.c between commit aa4af831bb4f ("AUDIT: Allow login in
non-init namespaces") from Linus' tree and commit 5a3cb3b6c3a0 ("audit:
allow user processes to log from another PID namespace") from the audit
tree.

I fixed it up (see below) and can carry the fix as necessary (no action
is required).

[Eric: that audit tree commit has no Signed-off-by from you even though
you committed it ... there are a few like that]
-- 
Cheers,
Stephen Rothwell                    sfr@...b.auug.org.au

diff --cc kernel/audit.c
index 95a20f3f52f1,ad77d1e80895..000000000000
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@@ -607,20 -607,9 +607,19 @@@ static int audit_netlink_ok(struct sk_b
  {
  	int err = 0;
  
- 	/* Only support the initial namespaces for now. */
+ 	/* Only support initial user namespace for now. */
 +	/*
 +	 * We return ECONNREFUSED because it tricks userspace into thinking
 +	 * that audit was not configured into the kernel.  Lots of users
 +	 * configure their PAM stack (because that's what the distro does)
 +	 * to reject login if unable to send messages to audit.  If we return
 +	 * ECONNREFUSED the PAM stack thinks the kernel does not have audit
 +	 * configured in and will let login proceed.  If we return EPERM
 +	 * userspace will reject all logins.  This should be removed when we
 +	 * support non init namespaces!!
 +	 */
- 	if ((current_user_ns() != &init_user_ns) ||
- 	    (task_active_pid_ns(current) != &init_pid_ns))
+ 	if ((current_user_ns() != &init_user_ns))
 -		return -EPERM;
 +		return -ECONNREFUSED;
  
  	switch (msg_type) {
  	case AUDIT_LIST:

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ