audit: allow user processes to log from another PID namespace

Still only permit the audit logging daemon and control to operate from the
initial PID namespace, but allow processes to log from another PID namespace.

Cc: "Eric W. Biederman" <ebiederm@xmission.com>
(informed by ebiederman's c776b5d2)

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

diff --git a/kernel/audit.c b/kernel/audit.c
index 5a096f8..72c6e1c 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -607,9 +607,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 {
        int err = 0;
 
-       /* Only support the initial namespaces for now. */
-       if ((current_user_ns() != &init_user_ns) ||
-           (task_active_pid_ns(current) != &init_pid_ns))
+       /* Only support initial user namespace for now. */
+       if ((current_user_ns() != &init_user_ns))
                return -EPERM;
 
        switch (msg_type) {
@@ -629,6 +628,11 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
        case AUDIT_TTY_SET:
        case AUDIT_TRIM:
        case AUDIT_MAKE_EQUIV:
+               /* Only support auditd and auditctl in initial pid namespace
+                * for now. */
+               if ((task_active_pid_ns(current) != &init_pid_ns))
+                       return -EPERM;
+
                if (!capable(CAP_AUDIT_CONTROL))
                        err = -EPERM;
                break;