On 01/17/2014 06:29 AM, Serge E. Hallyn wrote: > Quoting Gao feng (gaofeng@xxxxxxxxxxxxxx): >> Add a compare function which always return true for >> audit netlink socket, this will cause audit netlink >> sockets netns unaware, and no matter which netns the >> user space audit netlink sockets belong to, they all >> can find out and communicate with audit_sock. >> >> This gets rid of the necessary to create per-netns >> audit kernel side socket(audit_sock), it's pain to >> depend on and get reference of netns for auditns. >> >> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx> > > So whereas before you could prevent a task from spamming > audit by putting it into a private netns, now you have to > do it using a user namespace (to prevent capable(CAP_AUDIT_WRITE)) > right? > Yes, the commit 1a938bec0090dc49abdb471e978e0d8155186845 "listen in all network namespaces" in audit-next already did this change. this patch is another way to allow task to generate audit msg in un-init netns. This is one of the purpose of auditns. And this capable check has already done in audit_netlink_ok. > I don't know that anyone is depending on that, in any case, but > it's a change. > I think this change should be transparent to the userspace tools. Since I don't know why a task should depend on audit is unavailable. Or I misunderstand your question? > Is this building up to something? > Just allow task in un-init netns to communicate with kernel. Thanks! Gao >> --- >> kernel/audit.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/kernel/audit.c b/kernel/audit.c >> index b62153a..2ac6212 100644 >> --- a/kernel/audit.c >> +++ b/kernel/audit.c >> @@ -1064,12 +1064,18 @@ static void audit_receive(struct sk_buff *skb) >> mutex_unlock(&audit_cmd_mutex); >> } >> >> +static bool audit_compare(struct net *net, struct sock *sk) >> +{ >> + return true; >> +} >> + >> /* Initialize audit support at boot time. */ >> static int __init audit_init(void) >> { >> int i; >> struct netlink_kernel_cfg cfg = { >> .input = audit_receive, >> + .compare = audit_compare, >> }; >> >> if (audit_initialized == AUDIT_DISABLED) >> -- >> 1.8.4.2 >> >> _______________________________________________ >> Containers mailing list >> Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx >> https://lists.linuxfoundation.org/mailman/listinfo/containers > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers