Only these two vars are namespace aware.
Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
kernel/audit.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index d7a0993..2132929 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -685,16 +685,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (nlh->nlmsg_len < sizeof(struct audit_status))
return -EINVAL;
status_get = (struct audit_status *)data;
- if (status_get->mask & AUDIT_STATUS_ENABLED) {
- err = audit_set_enabled(status_get->enabled);
- if (err < 0)
- return err;
- }
- if (status_get->mask & AUDIT_STATUS_FAILURE) {
- err = audit_set_failure(status_get->failure);
- if (err < 0)
- return err;
- }
if (status_get->mask & AUDIT_STATUS_PID) {
int new_pid = status_get->pid;
struct task_struct *task;
@@ -713,6 +703,22 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
init_audit_ns.portid = NETLINK_CB(skb).portid;
}
+
+ /* Right now, only audit_pid and audit_portid are namesapce
+ * aware. */
+ if (ns != &init_audit_ns)
+ return -EPERM;
+
+ if (status_get->mask & AUDIT_STATUS_ENABLED) {
+ err = audit_set_enabled(status_get->enabled);
+ if (err < 0)
+ return err;
+ }
+ if (status_get->mask & AUDIT_STATUS_FAILURE) {
+ err = audit_set_failure(status_get->failure);
+ if (err < 0)
+ return err;
+ }
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(status_get->rate_limit);
if (err < 0)
--
1.8.3.1
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
