AUDIT: Allow login in non-init namespaces

[~andy/linux] / kernel / audit.c

diff --git a/kernel/audit.c b/kernel/audit.c
index 32086bff5564edf9737da7ea4a4aa740b9c659bc..95a20f3f52f1c9f35b7d6aa2cb0a8b7c05fdbc69 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -559,7 +559,7 @@ static int audit_send_reply_thread(void *arg)
 }
 /**
  * audit_send_reply - send an audit reply message via netlink
- * @portid: netlink port to which to send reply
+ * @request_skb: skb of request we are replying to (used to target the reply)
  * @seq: sequence number
  * @type: audit message type
  * @done: done (last) flag
@@ -608,9 +608,19 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
        int err = 0;
 
        /* Only support the initial namespaces for now. */
+       /*
+        * We return ECONNREFUSED because it tricks userspace into thinking
+        * that audit was not configured into the kernel.  Lots of users
+        * configure their PAM stack (because that's what the distro does)
+        * to reject login if unable to send messages to audit.  If we return
+        * ECONNREFUSED the PAM stack thinks the kernel does not have audit
+        * configured in and will let login proceed.  If we return EPERM
+        * userspace will reject all logins.  This should be removed when we
+        * support non init namespaces!!
+        */
        if ((current_user_ns() != &init_user_ns) ||
            (task_active_pid_ns(current) != &init_pid_ns))
-               return -EPERM;
+               return -ECONNREFUSED;
 
        switch (msg_type) {
        case AUDIT_LIST: