diff options
Diffstat (limited to 'init')
-rw-r--r-- | init/Kconfig | 16 | ||||
-rw-r--r-- | init/main.c | 2 |
2 files changed, 16 insertions, 2 deletions
diff --git a/init/Kconfig b/init/Kconfig index 6ac2236244c3..3f42cd66f0f8 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -355,7 +355,7 @@ config AUDIT config AUDITSYSCALL bool "Enable system-call auditing support" - depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH) + depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || ARM) default y if SECURITY_SELINUX help Enable low-overhead system-call auditing infrastructure that @@ -372,6 +372,20 @@ config AUDIT_TREE depends on AUDITSYSCALL select FSNOTIFY +config AUDIT_LOGINUID_IMMUTABLE + bool "Make audit loginuid immutable" + depends on AUDIT + help + The config option toggles if a task setting its loginuid requires + CAP_SYS_AUDITCONTROL or if that task should require no special permissions + but should instead only allow setting its loginuid if it was never + previously set. On systems which use systemd or a similar central + process to restart login services this should be set to true. On older + systems in which an admin would typically have to directly stop and + start processes this should be set to false. Setting this to true allows + one to drop potentially dangerous capabilites from the login tasks, + but may not be backwards compatible with older init systems. + source "kernel/irq/Kconfig" menu "RCU Subsystem" diff --git a/init/main.c b/init/main.c index 415548e808d2..ff49a6dacfbb 100644 --- a/init/main.c +++ b/init/main.c @@ -648,7 +648,7 @@ static void __init do_ctors(void) #endif } -int initcall_debug; +bool initcall_debug; core_param(initcall_debug, initcall_debug, bool, 0644); static char msgbuf[64]; |