Commit d040e5af authored by Eric Paris's avatar Eric Paris
Browse files

audit: audit feature to only allow unsetting the loginuid 



This is a new audit feature which only grants processes with
CAP_AUDIT_CONTROL the ability to unset their loginuid.  They cannot
directly set it from a valid uid to another valid uid.  The ability to
unset the loginuid is nice because a priviledged task, like that of
container creation, can unset the loginuid and then priv is not needed
inside the container when a login daemon needs to set the loginuid.

Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 81407c84

include/uapi/linux/audit.h

+2 −1
Original line number Diff line number Diff line
@@ -386,7 +386,8 @@ struct audit_features { 
	__u32	lock;		/* which features to lock */

};



#define AUDIT_LAST_FEATURE	-1

#define AUDIT_FEATURE_ONLY_UNSET_LOGINUID	0

#define AUDIT_LAST_FEATURE			AUDIT_FEATURE_ONLY_UNSET_LOGINUID



#define audit_feature_valid(x)		((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)

#define AUDIT_FEATURE_TO_MASK(x)	(1 << ((x) & 31)) /* mask for __u32 */

kernel/audit.c

+2 −1
Original line number Diff line number Diff line
@@ -144,7 +144,8 @@ static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, 
				   .features = 0,

				   .lock = 0,};



static char *audit_feature_names[0] = {

static char *audit_feature_names[1] = {

	"only_unset_loginuid",

};

kernel/auditsc.c

+3 −0
Original line number Diff line number Diff line
@@ -1974,6 +1974,9 @@ static int audit_set_loginuid_perm(kuid_t loginuid) 
	/* it is set, you need permission */

	if (!capable(CAP_AUDIT_CONTROL))

		return -EPERM;

	/* reject if this is not an unset and we don't allow that */

	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))

		return -EPERM;

	return 0;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE