diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-01-17 19:06:51 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-01-17 19:41:31 -0500 |
commit | f429ee3b808118591d1f3cdf3c0d0793911a5677 (patch) | |
tree | 96d848f5f677d96758ecd2aee5eb6931b75bf218 /init | |
parent | 22b4eb5e3174efb49791c62823d0cccc35394c36 (diff) | |
parent | c158a35c8a681cf68d36f22f058f9f5466386c71 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit: (29 commits)
audit: no leading space in audit_log_d_path prefix
audit: treat s_id as an untrusted string
audit: fix signedness bug in audit_log_execve_info()
audit: comparison on interprocess fields
audit: implement all object interfield comparisons
audit: allow interfield comparison between gid and ogid
audit: complex interfield comparison helper
audit: allow interfield comparison in audit rules
Kernel: Audit Support For The ARM Platform
audit: do not call audit_getname on error
audit: only allow tasks to set their loginuid if it is -1
audit: remove task argument to audit_set_loginuid
audit: allow audit matching on inode gid
audit: allow matching on obj_uid
audit: remove audit_finish_fork as it can't be called
audit: reject entry,always rules
audit: inline audit_free to simplify the look of generic code
audit: drop audit_set_macxattr as it doesn't do anything
audit: inline checks for not needing to collect aux records
audit: drop some potentially inadvisable likely notations
...
Use evil merge to fix up grammar mistakes in Kconfig file.
Bad speling and horrible grammar (and copious swearing) is to be
expected, but let's keep it to commit messages and comments, rather than
expose it to users in config help texts or printouts.
Diffstat (limited to 'init')
-rw-r--r-- | init/Kconfig | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/init/Kconfig b/init/Kconfig index 6ac2236244c3..3f42cd66f0f8 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
@@ -355,7 +355,7 @@ config AUDIT | |||
355 | 355 | ||
356 | config AUDITSYSCALL | 356 | config AUDITSYSCALL |
357 | bool "Enable system-call auditing support" | 357 | bool "Enable system-call auditing support" |
358 | depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH) | 358 | depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || ARM) |
359 | default y if SECURITY_SELINUX | 359 | default y if SECURITY_SELINUX |
360 | help | 360 | help |
361 | Enable low-overhead system-call auditing infrastructure that | 361 | Enable low-overhead system-call auditing infrastructure that |
@@ -372,6 +372,20 @@ config AUDIT_TREE | |||
372 | depends on AUDITSYSCALL | 372 | depends on AUDITSYSCALL |
373 | select FSNOTIFY | 373 | select FSNOTIFY |
374 | 374 | ||
375 | config AUDIT_LOGINUID_IMMUTABLE | ||
376 | bool "Make audit loginuid immutable" | ||
377 | depends on AUDIT | ||
378 | help | ||
379 | The config option toggles if a task setting its loginuid requires | ||
380 | CAP_SYS_AUDITCONTROL or if that task should require no special permissions | ||
381 | but should instead only allow setting its loginuid if it was never | ||
382 | previously set. On systems which use systemd or a similar central | ||
383 | process to restart login services this should be set to true. On older | ||
384 | systems in which an admin would typically have to directly stop and | ||
385 | start processes this should be set to false. Setting this to true allows | ||
386 | one to drop potentially dangerous capabilites from the login tasks, | ||
387 | but may not be backwards compatible with older init systems. | ||
388 | |||
375 | source "kernel/irq/Kconfig" | 389 | source "kernel/irq/Kconfig" |
376 | 390 | ||
377 | menu "RCU Subsystem" | 391 | menu "RCU Subsystem" |