[ARCHIVE DEBUG 06/13] audit_debug: don't let systemd change config

[Steve Grubb]

On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote:
> Debug the possibility of systemd changing the audit config causing
> shutdown delays by blocking all such requests.

I don't understand what you are saying here. As long as something something 
has CAP_AUDIT_CONTROL, it can make changes. But we have to record what made 
the changes in the logs.

-Steve

> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
>  kernel/audit.c |   14 ++++++++------
>  1 files changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 30b3b08..93a466b 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -680,18 +680,20 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> msg_type) case AUDIT_ADD:
>  	case AUDIT_DEL:
>  		return -EOPNOTSUPP;
> -	case AUDIT_GET:
>  	case AUDIT_SET:
> -	case AUDIT_GET_FEATURE:
>  	case AUDIT_SET_FEATURE:
> -	case AUDIT_LIST_RULES:
>  	case AUDIT_ADD_RULE:
>  	case AUDIT_DEL_RULE:
> -	case AUDIT_SIGNAL_INFO:
> -	case AUDIT_TTY_GET:
> -	case AUDIT_TTY_SET:
>  	case AUDIT_TRIM:
>  	case AUDIT_MAKE_EQUIV:
> +	case AUDIT_TTY_SET:
> +		if (current->tgid == 1)
> +			return -EPERM;
> +	case AUDIT_GET:
> +	case AUDIT_GET_FEATURE:
> +	case AUDIT_LIST_RULES:
> +	case AUDIT_SIGNAL_INFO:
> +	case AUDIT_TTY_GET:
>  		/* Only support auditd and auditctl in initial pid namespace
>  		 * for now. */
>  		if ((task_active_pid_ns(current) != &init_pid_ns))