Created
July 28, 2014 15:51
-
-
Save martonsereg/ecdddd60027c549fc69b to your computer and use it in GitHub Desktop.
Linux kernel patch for 3.13.0-32-generic - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=543bc6a1a987672b79d6ebe8e2ab10471d8f1047
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- a/kernel/audit.c | |
| +++ b/kernel/audit.c | |
| @@ -584,9 +584,19 @@ | |
| int err = 0; | |
| /* Only support the initial namespaces for now. */ | |
| + /* | |
| + * We return ECONNREFUSED because it tricks userspace into thinking | |
| + * that audit was not configured into the kernel. Lots of users | |
| + * configure their PAM stack (because that's what the distro does) | |
| + * to reject login if unable to send messages to audit. If we return | |
| + * ECONNREFUSED the PAM stack thinks the kernel does not have audit | |
| + * configured in and will let login proceed. If we return EPERM | |
| + * userspace will reject all logins. This should be removed when we | |
| + * support non init namespaces!! | |
| + */ | |
| if ((current_user_ns() != &init_user_ns) || | |
| (task_active_pid_ns(current) != &init_pid_ns)) | |
| - return -EPERM; | |
| + return -ECONNREFUSED; | |
| switch (msg_type) { | |
| case AUDIT_LIST: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment