On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote: > Debug the possibility of systemd changing the audit config causing > shutdown delays by blocking all such requests.
I don't understand what you are saying here. As long as something something has CAP_AUDIT_CONTROL, it can make changes. But we have to record what made the changes in the logs. -Steve > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > kernel/audit.c | 14 ++++++++------ > 1 files changed, 8 insertions(+), 6 deletions(-) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 30b3b08..93a466b 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -680,18 +680,20 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 > msg_type) case AUDIT_ADD: > case AUDIT_DEL: > return -EOPNOTSUPP; > - case AUDIT_GET: > case AUDIT_SET: > - case AUDIT_GET_FEATURE: > case AUDIT_SET_FEATURE: > - case AUDIT_LIST_RULES: > case AUDIT_ADD_RULE: > case AUDIT_DEL_RULE: > - case AUDIT_SIGNAL_INFO: > - case AUDIT_TTY_GET: > - case AUDIT_TTY_SET: > case AUDIT_TRIM: > case AUDIT_MAKE_EQUIV: > + case AUDIT_TTY_SET: > + if (current->tgid == 1) > + return -EPERM; > + case AUDIT_GET: > + case AUDIT_GET_FEATURE: > + case AUDIT_LIST_RULES: > + case AUDIT_SIGNAL_INFO: > + case AUDIT_TTY_GET: > /* Only support auditd and auditctl in initial pid namespace > * for now. */ > if ((task_active_pid_ns(current) != &init_pid_ns)) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
