Quoting Gao feng (gaofeng@xxxxxxxxxxxxxx):
> Add a compare function which always return true for
> audit netlink socket, this will cause audit netlink
> sockets netns unaware, and no matter which netns the
> user space audit netlink sockets belong to, they all
> can find out and communicate with audit_sock.
>
> This gets rid of the necessary to create per-netns
> audit kernel side socket(audit_sock), it's pain to
> depend on and get reference of netns for auditns.
>
> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
So whereas before you could prevent a task from spamming
audit by putting it into a private netns, now you have to
do it using a user namespace (to prevent capable(CAP_AUDIT_WRITE))
right?
I don't know that anyone is depending on that, in any case, but
it's a change.
Is this building up to something?
> ---
> kernel/audit.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b62153a..2ac6212 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1064,12 +1064,18 @@ static void audit_receive(struct sk_buff *skb)
> mutex_unlock(&audit_cmd_mutex);
> }
>
> +static bool audit_compare(struct net *net, struct sock *sk)
> +{
> + return true;
> +}
> +
> /* Initialize audit support at boot time. */
> static int __init audit_init(void)
> {
> int i;
> struct netlink_kernel_cfg cfg = {
> .input = audit_receive,
> + .compare = audit_compare,
> };
>
> if (audit_initialized == AUDIT_DISABLED)
> --
> 1.8.4.2
>
> _______________________________________________
> Containers mailing list
> Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linuxfoundation.org/mailman/listinfo/containers
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
