On Monday, December 15, 2014 02:33:36 PM Richard Guy Briggs wrote: > On 14/12/15, Paul Moore wrote: > > On Monday, December 15, 2014 01:51:52 PM Eric Paris wrote: > > > On Mon, 2014-12-15 at 13:50 -0500, Richard Guy Briggs wrote: > > > > On 14/12/15, Eric Paris wrote: > > > > > Lets say I and in the non-init pid namespace. > > > > > > > > > > I run audictl -a exit,always -S all -F pid=1 > > > > > > > > That's easy (for now). Line 675 of kernel/audit.c in > > > > audit_netlink_ok() > > > > > > > > called from audit_receive_msg() will prevent that with: > > > > if ((task_active_pid_ns(current) != &init_pid_ns)) > > > > > > > > return -EPERM; > > > > > > > > > Is the audit system going to show records for what I think is pid=1 > > > > > or > > > > > what the initial pid namespace thinks is pid=1 ? > > > > > > ACK from me then. > > > > Okay, thanks. Anybody else want to jump on the Ack/Review bandwagon? > > Guess I should have added some text about that... Add whichever you > feel is most appropriate (Ack/Review/Signed...)
I'll add your Reviewed-by tag then. Thanks. I suppose everyone is different, but I *really* like seeing "Reviewed-by" and "Tested-by" tags on a patch since it indicates that someone who is not the patch author has looked at and/or tested the code separately and found it to be good. To me Acked-by usually just means that the maintainer, or someone important to the effort, gave it a passing glance a said "ok". Ack's are important, but I give a higher weight to the reviewed and tested tags. -- paul moore security and virtualization @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
