Because We want to avoid the DoS attack caused by other user namespace,so don't make audit_rate_limit per user namespace. And only init user namespace has rights to change it.
Signed-off-by: Gao feng <[email protected]> --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 0b9cef2..306231d 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -295,6 +295,9 @@ static int audit_do_config_change(char *function_name, int *to_change, int new) static int audit_set_rate_limit(int limit) { + if (current_user_ns() != &init_user_ns) + return -EPERM; + return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit); } -- 1.8.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
