12 жил өмнө · 83fa6bbe4c
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -301,20 +301,6 @@ config AUDIT_TREE
 
				 	depends on AUDITSYSCALL
			
 
				 	select FSNOTIFY
			
 
				 
			
 
				-config AUDIT_LOGINUID_IMMUTABLE
			
 
				-	bool "Make audit loginuid immutable"
			
 
				-	depends on AUDIT
			
 
				-	help
			
 
				-	  The config option toggles if a task setting its loginuid requires
			
 
				-	  CAP_SYS_AUDITCONTROL or if that task should require no special permissions
			
 
				-	  but should instead only allow setting its loginuid if it was never
			
 
				-	  previously set.  On systems which use systemd or a similar central
			
 
				-	  process to restart login services this should be set to true.  On older
			
 
				-	  systems in which an admin would typically have to directly stop and
			
 
				-	  start processes this should be set to false.  Setting this to true allows
			
 
				-	  one to drop potentially dangerous capabilites from the login tasks,
			
 
				-	  but may not be backwards compatible with older init systems.
			
 
				-
			
 
				 source "kernel/irq/Kconfig"
			
 
				 source "kernel/time/Kconfig"
			
 
				 
			
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1968,15 +1968,13 @@ static atomic_t session_id = ATOMIC_INIT(0);
 
				 
			
 
				 static int audit_set_loginuid_perm(kuid_t loginuid)
			
 
				 {
			
 
				-#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
			
 
				 	/* if we are unset, we don't need privs */
			
 
				 	if (!audit_loginuid_set(current))
			
 
				 		return 0;
			
 
				-#else	/* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
			
 
				-	if (capable(CAP_AUDIT_CONTROL))
			
 
				-		return 0;
			
 
				-#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
			
 
				-	return -EPERM;
			
 
				+	/* it is set, you need permission */
			
 
				+	if (!capable(CAP_AUDIT_CONTROL))
			
 
				+		return -EPERM;
			
 
				+	return 0;
			
 
				 }
			
 
				 
			
 
				 static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,