Aristeu Rozanski <aroza...@redhat.com> writes: > Since user events will be followed by namespace information, userspace > can filter off undesired container records.
I don't think we want to allow any user to write to the audit records, that is what nsown_capable will allow, as all you would need to do is to unshare the user namespace to be able to write audit records. Eric > @@ -597,13 +612,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 > msg_type) > case AUDIT_TTY_SET: > case AUDIT_TRIM: > case AUDIT_MAKE_EQUIV: > - if (!capable(CAP_AUDIT_CONTROL)) > + if (!nsown_capable(CAP_AUDIT_CONTROL)) > err = -EPERM; > break; > case AUDIT_USER: > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: > - if (!capable(CAP_AUDIT_WRITE)) > + if (!nsown_capable(CAP_AUDIT_WRITE)) > err = -EPERM; > break; > default: /* bad msg */ -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit