Quoting Aristeu Rozanski ([email protected]): > This is a bit fuzzy to me, perhaps due I'm not fully understanding > userns implementation yet, so bear with me: > I thought of changing so userns would not grant CAP_AUDIT_WRITE and > CAP_AUDIT_CONTROL unless the process already has it (i.e. it'd require
Seems like CAP_AUDIT_WRITE should be targeted against the skb->netns->userns. Then CAP_AUDIT_WRITE can be treated like any other capability. Last I knew (long time ago) you had to be in init_user_ns to talk audit, but that's ok - this would just do the right thing in any case. -serge -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
