[ARCHIVE DEBUG 06/13] audit_debug: don't let systemd change config
Steve Grubb
sgrubb at redhat.com
Thu Oct 22 19:18:19 UTC 2015
On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote:
> Debug the possibility of systemd changing the audit config causing
> shutdown delays by blocking all such requests.
I don't understand what you are saying here. As long as something something
has CAP_AUDIT_CONTROL, it can make changes. But we have to record what made
the changes in the logs.
-Steve
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> kernel/audit.c | 14 ++++++++------
> 1 files changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 30b3b08..93a466b 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -680,18 +680,20 @@ static int audit_netlink_ok(struct sk_buff *skb, u16
> msg_type) case AUDIT_ADD:
> case AUDIT_DEL:
> return -EOPNOTSUPP;
> - case AUDIT_GET:
> case AUDIT_SET:
> - case AUDIT_GET_FEATURE:
> case AUDIT_SET_FEATURE:
> - case AUDIT_LIST_RULES:
> case AUDIT_ADD_RULE:
> case AUDIT_DEL_RULE:
> - case AUDIT_SIGNAL_INFO:
> - case AUDIT_TTY_GET:
> - case AUDIT_TTY_SET:
> case AUDIT_TRIM:
> case AUDIT_MAKE_EQUIV:
> + case AUDIT_TTY_SET:
> + if (current->tgid == 1)
> + return -EPERM;
> + case AUDIT_GET:
> + case AUDIT_GET_FEATURE:
> + case AUDIT_LIST_RULES:
> + case AUDIT_SIGNAL_INFO:
> + case AUDIT_TTY_GET:
> /* Only support auditd and auditctl in initial pid namespace
> * for now. */
> if ((task_active_pid_ns(current) != &init_pid_ns))
More information about the Linux-audit
mailing list