Главная Обзор Помощь
Вход
GfA
/
linux_kernel
5
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Просмотр исходного кода

audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE

After trying to use this feature in Fedora we found the hard coding
policy like this into the kernel was a bad idea.  Surprise surprise.
We ran into these problems because it was impossible to launch a
container as a logged in user and run a login daemon inside that container.
This reverts back to the old behavior before this option was added.  The
option will be re-added in a userspace selectable manor such that
userspace can choose when it is and when it is not appropriate.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Eric Paris 12 лет назад
Родитель
da0a610497
Сommit
83fa6bbe4c
2 измененных файлов с 4 добавлено и 20 удалено
Единый вид Показать статистику Diff
  1. 0 14
      init/Kconfig
  2. 4 6
      kernel/auditsc.c

+ 0 - 14
init/Kconfig
Просмотреть файл 

@@ -301,20 +301,6 @@ config AUDIT_TREE
 
 	depends on AUDITSYSCALL
 
 	depends on AUDITSYSCALL
 
 	select FSNOTIFY
 
 	select FSNOTIFY
 
 
 
-config AUDIT_LOGINUID_IMMUTABLE
 
-	bool "Make audit loginuid immutable"
 
-	depends on AUDIT
 
-	help
 
-	  The config option toggles if a task setting its loginuid requires
 
-	  CAP_SYS_AUDITCONTROL or if that task should require no special permissions
 
-	  but should instead only allow setting its loginuid if it was never
 
-	  previously set.  On systems which use systemd or a similar central
 
-	  process to restart login services this should be set to true.  On older
 
-	  systems in which an admin would typically have to directly stop and
 
-	  start processes this should be set to false.  Setting this to true allows
 
-	  one to drop potentially dangerous capabilites from the login tasks,
 
-	  but may not be backwards compatible with older init systems.
 
-
 
 source "kernel/irq/Kconfig"
 
 source "kernel/irq/Kconfig"
 
 source "kernel/time/Kconfig"
 
 source "kernel/time/Kconfig"

+ 4 - 6
kernel/auditsc.c
Просмотреть файл 

@@ -1968,15 +1968,13 @@ static atomic_t session_id = ATOMIC_INIT(0);
 
 
 
 static int audit_set_loginuid_perm(kuid_t loginuid)
 
 static int audit_set_loginuid_perm(kuid_t loginuid)
 
 {
 
 {
 
-#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
 
 	/* if we are unset, we don't need privs */
 
 	/* if we are unset, we don't need privs */
 
 	if (!audit_loginuid_set(current))
 
 	if (!audit_loginuid_set(current))
 
 		return 0;
 
 		return 0;
 
-#else	/* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
 
-	if (capable(CAP_AUDIT_CONTROL))
 
-		return 0;
 
-#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
 
-	return -EPERM;
 
+	/* it is set, you need permission */
 
+	if (!capable(CAP_AUDIT_CONTROL))
 
+		return -EPERM;
 
+	return 0;
 
 }
 
 }
 
 
 
 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
 
 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,