diff options
| -rw-r--r-- | kernel/audit.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 3392d3e0254a..95a20f3f52f1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -608,9 +608,19 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 608 | int err = 0; | 608 | int err = 0; |
| 609 | 609 | ||
| 610 | /* Only support the initial namespaces for now. */ | 610 | /* Only support the initial namespaces for now. */ |
| 611 | /* | ||
| 612 | * We return ECONNREFUSED because it tricks userspace into thinking | ||
| 613 | * that audit was not configured into the kernel. Lots of users | ||
| 614 | * configure their PAM stack (because that's what the distro does) | ||
| 615 | * to reject login if unable to send messages to audit. If we return | ||
| 616 | * ECONNREFUSED the PAM stack thinks the kernel does not have audit | ||
| 617 | * configured in and will let login proceed. If we return EPERM | ||
| 618 | * userspace will reject all logins. This should be removed when we | ||
| 619 | * support non init namespaces!! | ||
| 620 | */ | ||
| 611 | if ((current_user_ns() != &init_user_ns) || | 621 | if ((current_user_ns() != &init_user_ns) || |
| 612 | (task_active_pid_ns(current) != &init_pid_ns)) | 622 | (task_active_pid_ns(current) != &init_pid_ns)) |
| 613 | return -EPERM; | 623 | return -ECONNREFUSED; |
| 614 | 624 | ||
| 615 | switch (msg_type) { | 625 | switch (msg_type) { |
| 616 | case AUDIT_LIST: | 626 | case AUDIT_LIST: |