1 files changed, 15 insertions, 1 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 6ac2236244c3..3f42cd66f0f8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -355,7 +355,7 @@ config AUDIT
 config AUDITSYSCALL
        bool "Enable system-call auditing support"
-        depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH)
+        depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || ARM)
        default y if SECURITY_SELINUX
        help
          Enable low-overhead system-call auditing infrastructure that
@@ -372,6 +372,20 @@ config AUDIT_TREE
        depends on AUDITSYSCALL
        select FSNOTIFY
+config AUDIT_LOGINUID_IMMUTABLE
+        bool "Make audit loginuid immutable"
+        depends on AUDIT
+        help
+          The config option toggles if a task setting its loginuid requires
+          CAP_SYS_AUDITCONTROL or if that task should require no special permissions
+          but should instead only allow setting its loginuid if it was never
+          previously set.  On systems which use systemd or a similar central
+          process to restart login services this should be set to true.  On older
+          systems in which an admin would typically have to directly stop and
+          start processes this should be set to false.  Setting this to true allows
+          one to drop potentially dangerous capabilites from the login tasks,
+          but may not be backwards compatible with older init systems.
 source "kernel/irq/Kconfig"
 menu "RCU Subsystem"

diff --git a/init/Kconfig b/init/Kconfig index 6ac2236244c3..3f42cd66f0f8 100644 --- a/init/Kconfig +++ b/init/Kconfig
@@ -355,7 +355,7 @@ config AUDIT
355		355
356	config AUDITSYSCALL	356	config AUDITSYSCALL
357	bool "Enable system-call auditing support"	357	bool "Enable system-call auditing support"
358	depends on AUDIT && (X86 \|\| PPC \|\| S390 \|\| IA64 \|\| UML \|\| SPARC64 \|\| SUPERH)	358	depends on AUDIT && (X86 \|\| PPC \|\| S390 \|\| IA64 \|\| UML \|\| SPARC64 \|\| SUPERH \|\| ARM)
359	default y if SECURITY_SELINUX	359	default y if SECURITY_SELINUX
360	help	360	help
361	Enable low-overhead system-call auditing infrastructure that	361	Enable low-overhead system-call auditing infrastructure that
@@ -372,6 +372,20 @@ config AUDIT_TREE
372	depends on AUDITSYSCALL	372	depends on AUDITSYSCALL
373	select FSNOTIFY	373	select FSNOTIFY
374		374
		375	config AUDIT_LOGINUID_IMMUTABLE
		376	bool "Make audit loginuid immutable"
		377	depends on AUDIT
		378	help
		379	The config option toggles if a task setting its loginuid requires
		380	CAP_SYS_AUDITCONTROL or if that task should require no special permissions
		381	but should instead only allow setting its loginuid if it was never
		382	previously set. On systems which use systemd or a similar central
		383	process to restart login services this should be set to true. On older
		384	systems in which an admin would typically have to directly stop and
		385	start processes this should be set to false. Setting this to true allows
		386	one to drop potentially dangerous capabilites from the login tasks,
		387	but may not be backwards compatible with older init systems.
		388
375	source "kernel/irq/Kconfig"	389	source "kernel/irq/Kconfig"
376		390
377	menu "RCU Subsystem"	391	menu "RCU Subsystem"