diff options
Diffstat (limited to 'kernel/audit.c')
| -rw-r--r-- | kernel/audit.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 5a096f8e28cb..72c6e1cd6ef5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -607,9 +607,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 607 | { | 607 | { |
| 608 | int err = 0; | 608 | int err = 0; |
| 609 | 609 | ||
| 610 | /* Only support the initial namespaces for now. */ | 610 | /* Only support initial user namespace for now. */ |
| 611 | if ((current_user_ns() != &init_user_ns) || | 611 | if ((current_user_ns() != &init_user_ns)) |
| 612 | (task_active_pid_ns(current) != &init_pid_ns)) | ||
| 613 | return -EPERM; | 612 | return -EPERM; |
| 614 | 613 | ||
| 615 | switch (msg_type) { | 614 | switch (msg_type) { |
| @@ -629,6 +628,11 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 629 | case AUDIT_TTY_SET: | 628 | case AUDIT_TTY_SET: |
| 630 | case AUDIT_TRIM: | 629 | case AUDIT_TRIM: |
| 631 | case AUDIT_MAKE_EQUIV: | 630 | case AUDIT_MAKE_EQUIV: |
| 631 | /* Only support auditd and auditctl in initial pid namespace | ||
| 632 | * for now. */ | ||
| 633 | if ((task_active_pid_ns(current) != &init_pid_ns)) | ||
| 634 | return -EPERM; | ||
| 635 | |||
| 632 | if (!capable(CAP_AUDIT_CONTROL)) | 636 | if (!capable(CAP_AUDIT_CONTROL)) |
| 633 | err = -EPERM; | 637 | err = -EPERM; |
| 634 | break; | 638 | break; |