Hi Eric, Today's linux-next merge of the audit tree got a conflict in kernel/audit.c between commit aa4af831bb4f ("AUDIT: Allow login in non-init namespaces") from Linus' tree and commit 5a3cb3b6c3a0 ("audit: allow user processes to log from another PID namespace") from the audit tree. I fixed it up (see below) and can carry the fix as necessary (no action is required). [Eric: that audit tree commit has no Signed-off-by from you even though you committed it ... there are a few like that] -- Cheers, Stephen Rothwell sfr@xxxxxxxxxxxxxxxx diff --cc kernel/audit.c index 95a20f3f52f1,ad77d1e80895..000000000000 --- a/kernel/audit.c +++ b/kernel/audit.c @@@ -607,20 -607,9 +607,19 @@@ static int audit_netlink_ok(struct sk_b { int err = 0; - /* Only support the initial namespaces for now. */ + /* Only support initial user namespace for now. */ + /* + * We return ECONNREFUSED because it tricks userspace into thinking + * that audit was not configured into the kernel. Lots of users + * configure their PAM stack (because that's what the distro does) + * to reject login if unable to send messages to audit. If we return + * ECONNREFUSED the PAM stack thinks the kernel does not have audit + * configured in and will let login proceed. If we return EPERM + * userspace will reject all logins. This should be removed when we + * support non init namespaces!! + */ - if ((current_user_ns() != &init_user_ns) || - (task_active_pid_ns(current) != &init_pid_ns)) + if ((current_user_ns() != &init_user_ns)) - return -EPERM; + return -ECONNREFUSED; switch (msg_type) { case AUDIT_LIST:
Attachment:
pgp38vSuRHWrV.pgp
Description: PGP signature