[PATCH 13/22] Audit: only allow init user namespace to change rate limit

From: Gao feng
Date: Tue Jun 18 2013 - 21:57:40 EST

Next message: Gao feng: "[PATCH 15/22] Audit: only allow init user namespace to change backlog_limit"
Previous message: Gao feng: "[PATCH 16/22] Audit: make kauditd_wait per user namespace"
In reply to: Gao feng: "[PATCH 16/22] Audit: make kauditd_wait per user namespace"
Next in thread: Gao feng: "[PATCH 15/22] Audit: only allow init user namespace to change backlog_limit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Because We want to avoid the DoS attack caused by other user
namespace,so don't make audit_rate_limit per user namespace.
And only init user namespace has rights to change it.

Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
kernel/audit.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/kernel/audit.c b/kernel/audit.c
index 0b9cef2..306231d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -295,6 +295,9 @@ static int audit_do_config_change(char *function_name, int *to_change, int new)

static int audit_set_rate_limit(int limit)
{
+ if (current_user_ns() != &init_user_ns)
+ return -EPERM;
+
return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
}

--
1.8.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Gao feng: "[PATCH 15/22] Audit: only allow init user namespace to change backlog_limit"
Previous message: Gao feng: "[PATCH 16/22] Audit: make kauditd_wait per user namespace"
In reply to: Gao feng: "[PATCH 16/22] Audit: make kauditd_wait per user namespace"
Next in thread: Gao feng: "[PATCH 15/22] Audit: only allow init user namespace to change backlog_limit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]