On Mon, Apr 08, 2019 at 11:39:09PM -0400, Richard Guy Briggs wrote: > It is not permitted to unset the audit container identifier. > A child inherits its parent's audit container identifier. ... > /** > + * audit_set_contid - set current task's audit contid > + * @contid: contid value > + * > + * Returns 0 on success, -EPERM on permission failure. > + * > + * Called (set) from fs/proc/base.c::proc_contid_write(). > + */ > +int audit_set_contid(struct task_struct *task, u64 contid) > +{ > + u64 oldcontid; > + int rc = 0; > + struct audit_buffer *ab; > + uid_t uid; > + struct tty_struct *tty; > + char comm[sizeof(current->comm)]; > + > + task_lock(task); > + /* Can't set if audit disabled */ > + if (!task->audit) { > + task_unlock(task); > + return -ENOPROTOOPT; > + } > + oldcontid = audit_get_contid(task); > + read_lock(&tasklist_lock); > + /* Don't allow the audit containerid to be unset */ > + if (!audit_contid_valid(contid)) > + rc = -EINVAL; > + /* if we don't have caps, reject */ > + else if (!capable(CAP_AUDIT_CONTROL)) > + rc = -EPERM; > + /* if task has children or is not single-threaded, deny */ > + else if (!list_empty(&task->children)) > + rc = -EBUSY; > + else if (!(thread_group_leader(task) && thread_group_empty(task))) > + rc = -EALREADY; > + read_unlock(&tasklist_lock); > + if (!rc) > + task->audit->contid = contid; > + task_unlock(task); > + > + if (!audit_enabled) > + return rc; ...but it is allowed to change it (assuming capable(CAP_AUDIT_CONTROL), of course)? Seems like this might be more immediately useful since we still live in the world of majority privileged containers if we didn't allow changing it, in addition to un-setting it. Tycho