[PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
Paul Moore
pmoore at redhat.com
Mon Dec 15 19:58:03 UTC 2014
On Monday, December 15, 2014 02:33:36 PM Richard Guy Briggs wrote:
> On 14/12/15, Paul Moore wrote:
> > On Monday, December 15, 2014 01:51:52 PM Eric Paris wrote:
> > > On Mon, 2014-12-15 at 13:50 -0500, Richard Guy Briggs wrote:
> > > > On 14/12/15, Eric Paris wrote:
> > > > > Lets say I and in the non-init pid namespace.
> > > > >
> > > > > I run audictl -a exit,always -S all -F pid=1
> > > >
> > > > That's easy (for now). Line 675 of kernel/audit.c in
> > > > audit_netlink_ok()
> > > >
> > > > called from audit_receive_msg() will prevent that with:
> > > > if ((task_active_pid_ns(current) != &init_pid_ns))
> > > >
> > > > return -EPERM;
> > > >
> > > > > Is the audit system going to show records for what I think is pid=1
> > > > > or
> > > > > what the initial pid namespace thinks is pid=1 ?
> > >
> > > ACK from me then.
> >
> > Okay, thanks. Anybody else want to jump on the Ack/Review bandwagon?
>
> Guess I should have added some text about that... Add whichever you
> feel is most appropriate (Ack/Review/Signed...)
I'll add your Reviewed-by tag then. Thanks.
I suppose everyone is different, but I *really* like seeing "Reviewed-by" and
"Tested-by" tags on a patch since it indicates that someone who is not the
patch author has looked at and/or tested the code separately and found it to
be good.
To me Acked-by usually just means that the maintainer, or someone important to
the effort, gave it a passing glance a said "ok". Ack's are important, but I
give a higher weight to the reviewed and tested tags.
--
paul moore
security and virtualization @ redhat
More information about the Linux-audit
mailing list