[PATCH RFC 8/8] audit: allow user records to be created inside a container
Eric W. Biederman
ebiederm at xmission.com
Mon Mar 18 21:28:16 UTC 2013
Aristeu Rozanski <arozansk at redhat.com> writes:
> Since user events will be followed by namespace information, userspace
> can filter off undesired container records.
I don't think we want to allow any user to write to the audit records,
that is what nsown_capable will allow, as all you would need to do is to
unshare the user namespace to be able to write audit records.
Eric
> @@ -597,13 +612,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> case AUDIT_TTY_SET:
> case AUDIT_TRIM:
> case AUDIT_MAKE_EQUIV:
> - if (!capable(CAP_AUDIT_CONTROL))
> + if (!nsown_capable(CAP_AUDIT_CONTROL))
> err = -EPERM;
> break;
> case AUDIT_USER:
> case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> - if (!capable(CAP_AUDIT_WRITE))
> + if (!nsown_capable(CAP_AUDIT_WRITE))
> err = -EPERM;
> break;
> default: /* bad msg */
More information about the Linux-audit
mailing list