Re: [PATCH v2 6/7] audit: Use task_is_in_init_pid_ns()
From: Richard Guy Briggs
Date: Wed Dec 15 2021 - 14:09:51 EST
On 2021-12-14 17:35, Paul Moore wrote:
> On Wed, Dec 8, 2021 at 3:33 AM Leo Yan <leo.yan@xxxxxxxxxx> wrote:
> >
> > Replace open code with task_is_in_init_pid_ns() for checking root PID
> > namespace.
> >
> > Signed-off-by: Leo Yan <leo.yan@xxxxxxxxxx>
> > ---
> > kernel/audit.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> I'm not sure how necessary this is, but it looks correct to me.
I had the same thought. I looks correct to me. I could see the value
if it permitted init_pid_ns to not be global.
> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Reviewed-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 121d37e700a6..56ea91014180 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1034,7 +1034,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > case AUDIT_MAKE_EQUIV:
> > /* Only support auditd and auditctl in initial pid namespace
> > * for now. */
> > - if (task_active_pid_ns(current) != &init_pid_ns)
> > + if (!task_is_in_init_pid_ns(current))
> > return -EPERM;
> >
> > if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
> > --
> > 2.25.1
>
> paul moore
- RGB
--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635