[PATCH RFC 13/48] Audit: only allow init user namespace to change audit_rate_limit

Gao feng Mon, 06 May 2013 19:29:42 -0700

Because We want to avoid the DoS attack caused by other user
namespace,so don't make audit_rate_limit per user namespace.


And only init user namespace has rights to change it.

Signed-off-by: Gao feng <gaof...@cn.fujitsu.com>
---
 kernel/audit.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/audit.c b/kernel/audit.c
index bf8b59c..8a3ea47 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -308,6 +308,9 @@ static int audit_do_config_change(char *function_name, int 
*to_change,
 static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid,
                                u32 sid)
 {
+       if (current_user_ns() != &init_user_ns)
+               return -EPERM;
+
        return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
                                      limit, loginuid, sessionid, sid);
 }
-- 
1.8.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH RFC 13/48] Audit: only allow init user namespace to change audit_rate_limit

Reply via email to