From: Calvin Owens <calvinowens@fb.com>
To: Eric Paris <eparis@redhat.com>
Cc: <linux-kernel@vger.kernel.org>, <kernel-team@fb.com>,
<stable@vger.kernel.org>
Subject: [PATCH][RESEND] Revert "AUDIT: Allow login in non-init namespaces"
Date: Tue, 18 Nov 2014 12:32:21 -0800 [thread overview]
Message-ID: <20141118203221.GA1687992@mail.thefacebook.com> (raw)
In-Reply-To: <1415148371-11742-1-git-send-email-calvinowens@fb.com>
This reverts 543bc6a1a987 "AUDIT: Allow login in non-init namespaces".
This commit incorrectly assumes that libpam treats -ECONNREFUSED as
an indicator that audit is disabled, and -EPERM or any other error
as a fatal error that prevents the login from continuing.
The opposite is in fact true: -EPERM allows the login to continue,
and -ECONNREFUSED causes it to refuse the login. This behavior has
been unchanged in upstream linux-pam since at least 2008.
Reverting this change allows libpam to again work as expected in
non-init user namespaces.
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Cc: stable@vger.kernel.org
---
Relevant code in linux-pam:
https://git.fedorahosted.org/cgit/linux-pam.git/tree/libpam/pam_audit.c#n56
kernel/audit.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 80983df..656e8ce 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -640,18 +640,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
int err = 0;
/* Only support initial user namespace for now. */
- /*
- * We return ECONNREFUSED because it tricks userspace into thinking
- * that audit was not configured into the kernel. Lots of users
- * configure their PAM stack (because that's what the distro does)
- * to reject login if unable to send messages to audit. If we return
- * ECONNREFUSED the PAM stack thinks the kernel does not have audit
- * configured in and will let login proceed. If we return EPERM
- * userspace will reject all logins. This should be removed when we
- * support non init namespaces!!
- */
if (current_user_ns() != &init_user_ns)
- return -ECONNREFUSED;
+ return -EPERM;
switch (msg_type) {
case AUDIT_LIST:
--
2.1.1
next prev parent reply other threads:[~2014-11-18 20:32 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-05 0:46 [PATCH] Revert "AUDIT: Allow login in non-init namespaces" Calvin Owens
2014-11-18 20:32 ` Calvin Owens [this message]
2015-01-09 1:44 ` [PATCH][RESEND 2] " Calvin Owens
2015-01-09 1:44 ` Calvin Owens
2015-01-09 20:33 ` Paul Moore
2015-01-09 21:24 ` Calvin Owens
2015-01-09 21:24 ` Calvin Owens
2015-01-09 21:36 ` Paul Moore
2015-01-15 5:20 ` Calvin Owens
2015-01-15 5:20 ` Calvin Owens
2015-01-13 15:36 ` Richard Guy Briggs
2015-01-13 16:21 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141118203221.GA1687992@mail.thefacebook.com \
--to=calvinowens@fb.com \
--cc=eparis@redhat.com \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.