X-Git-Url: http://pileus.org/git/?p=~andy%2Flinux;a=blobdiff_plain;f=kernel%2Faudit.c;h=95a20f3f52f1c9f35b7d6aa2cb0a8b7c05fdbc69;hp=3392d3e0254ac5d93199c0b00e271cbb0b2bfc9c;hb=aa4af831bb4f3168f2f574b2620124699c09c4a3;hpb=00a1a053ebe5febcfc2ec498bd894f035ad2aa06

diff --git a/kernel/audit.c b/kernel/audit.c
index 3392d3e0254..95a20f3f52f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -608,9 +608,19 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 	int err = 0;
 
 	/* Only support the initial namespaces for now. */
+	/*
+	 * We return ECONNREFUSED because it tricks userspace into thinking
+	 * that audit was not configured into the kernel.  Lots of users
+	 * configure their PAM stack (because that's what the distro does)
+	 * to reject login if unable to send messages to audit.  If we return
+	 * ECONNREFUSED the PAM stack thinks the kernel does not have audit
+	 * configured in and will let login proceed.  If we return EPERM
+	 * userspace will reject all logins.  This should be removed when we
+	 * support non init namespaces!!
+	 */
 	if ((current_user_ns() != &init_user_ns) ||
 	    (task_active_pid_ns(current) != &init_pid_ns))
-		return -EPERM;
+		return -ECONNREFUSED;
 
 	switch (msg_type) {
 	case AUDIT_LIST: