lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Oct 2013 15:31:55 +0800 From: Gao feng <gaofeng@...fujitsu.com> To: linux-kernel@...r.kernel.org, linux-audit@...hat.com Cc: containers@...ts.linux-foundation.org, ebiederm@...ssion.com, serge.hallyn@...ntu.com, eparis@...hat.com, sgrubb@...hat.com, toshi.okajima@...fujitsu.com, Gao feng <gaofeng@...fujitsu.com> Subject: [PATCH 10/20] audit: allow un-init audit ns to change pid and portid only Only these two vars are namespace aware. Signed-off-by: Gao feng <gaofeng@...fujitsu.com> --- kernel/audit.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index d7a0993..2132929 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -685,16 +685,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (nlh->nlmsg_len < sizeof(struct audit_status)) return -EINVAL; status_get = (struct audit_status *)data; - if (status_get->mask & AUDIT_STATUS_ENABLED) { - err = audit_set_enabled(status_get->enabled); - if (err < 0) - return err; - } - if (status_get->mask & AUDIT_STATUS_FAILURE) { - err = audit_set_failure(status_get->failure); - if (err < 0) - return err; - } if (status_get->mask & AUDIT_STATUS_PID) { int new_pid = status_get->pid; struct task_struct *task; @@ -713,6 +703,22 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) init_audit_ns.portid = NETLINK_CB(skb).portid; } + + /* Right now, only audit_pid and audit_portid are namesapce + * aware. */ + if (ns != &init_audit_ns) + return -EPERM; + + if (status_get->mask & AUDIT_STATUS_ENABLED) { + err = audit_set_enabled(status_get->enabled); + if (err < 0) + return err; + } + if (status_get->mask & AUDIT_STATUS_FAILURE) { + err = audit_set_failure(status_get->failure); + if (err < 0) + return err; + } if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) { err = audit_set_rate_limit(status_get->rate_limit); if (err < 0) -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists