From 83fa6bbe4c4541ae748b550b4ec391f8a0acfe94 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 24 May 2013 09:39:29 -0400 Subject: audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE After trying to use this feature in Fedora we found the hard coding policy like this into the kernel was a bad idea. Surprise surprise. We ran into these problems because it was impossible to launch a container as a logged in user and run a login daemon inside that container. This reverts back to the old behavior before this option was added. The option will be re-added in a userspace selectable manor such that userspace can choose when it is and when it is not appropriate. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- kernel/auditsc.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'kernel/auditsc.c') diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 72684679e8b..b55788bf160 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1968,15 +1968,13 @@ static atomic_t session_id = ATOMIC_INIT(0); static int audit_set_loginuid_perm(kuid_t loginuid) { -#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE /* if we are unset, we don't need privs */ if (!audit_loginuid_set(current)) return 0; -#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ - if (capable(CAP_AUDIT_CONTROL)) - return 0; -#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */ - return -EPERM; + /* it is set, you need permission */ + if (!capable(CAP_AUDIT_CONTROL)) + return -EPERM; + return 0; } static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, -- cgit v1.2.3-70-g09d2