gmane.linux.kernel.containers

Re: [PATCH ] cgroup: rename cont to cgrp

Tejun Heo — 2013-06-19T08:23:47

Oops, I thought I applied this one.  Apparently not.


Applied to cgroup/for-3.11.

Thanks.

[PATCH 19/22] Audit: pass proper user namespace toaudit_log_common_recv_msg

Gao feng — 2013-06-19T01:53:51

The audit log that generated in user namespace should be
received by the auditd running in this user namespace.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 5d3764c..2d81aac 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -624,17 +624,18 < at >< at > static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 return err;
 }
 
-static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
+static int audit_log_common_recv_msg(struct user_namespace *ns,
+     struct audit_buffer **ab, u16 msg_type)
 {
 int rc = 0;
-uid_t uid = from_kuid(&init_user_ns, current_uid());
+uid_t uid = from_kuid(ns, current_uid());
 
-if (!audit_enabled_ns(&init_user_ns)) {
+if (!audit_enabled_ns(ns)) {
 *ab = NULL;
 return rc;
 }
 
-*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
+*ab = audit_log_start_ns(ns, NULL, GF

[PATCH 22/22] Audit: Allow GET, SET,USER MSG operations in uninit user namespace

Gao feng — 2013-06-19T01:53:54

After this patch, user can set/get audit informations
in container, and they can also send user msg to the
audit subsystem.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 0b3fd8b..1b60a5a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -594,11 +594,6 < at >< at > static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 {
 int err = 0;
 
-/* Only support the initial namespaces for now. */
-if ((current_user_ns() != &init_user_ns) ||
-    (task_active_pid_ns(current) != &init_pid_ns))
-return -EPERM;
-
 switch (msg_type) {
 case AUDIT_LIST:
 case AUDIT_ADD:
< at >< at > -606,6 +601,7 < at >< at > static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 return -EOPNOTSUPP;
 case AUDIT_GET:
 case AUDIT_SET:
+break;
 case AUDIT_LIST_RULES:
 case AUDIT_ADD_RULE:
 case AUDIT_DEL_RULE:
< at >< at > -614,13 +610,17 < at >< at > static int audit_netlink_ok(struct sk

[PATCH 20/22] Audit: Log audit config change in uninit user namespace

Gao feng — 2013-06-19T01:53:52

This patch allow to log audit config change in
uninit user namespace.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 2d81aac..84a882c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -245,13 +245,14 < at >< at > void audit_log_lost(const char *message)
 }
 }
 
-static int audit_log_config_change(char *function_name, int new, int old,
+static int audit_log_config_change(struct user_namespace *ns,
+   char *function_name, int new, int old,
    int allow_changes)
 {
 struct audit_buffer *ab;
 int rc = 0;
 
-ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+ab = audit_log_start_ns(ns, NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
 if (unlikely(!ab))
 return rc;
 audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
< at >< at > -260,7 +261,7 < at >< at > static int audit_log_config_change(char *function_name, int new, int old,
 if (rc)
 al

[PATCH 21/22] Audit: send reply message to the auditd in proper usernamespace

Gao feng — 2013-06-19T01:53:53

We can send the audit reply message to userspace auditd
process which running in the same user namespace with the
process which send the audit request message to kernel.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 84a882c..0b3fd8b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -146,6 +146,7 < at >< at > struct audit_buffer {
 struct audit_reply {
 int pid;
 struct sk_buff *skb;
+struct user_namespace *ns;
 };
 
 static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
< at >< at > -532,8 +533,9 < at >< at > static int audit_send_reply_thread(void *arg)
 
 /* Ignore failure. It'll only happen if the sender goes away,
    because our timeout is set to infinite. */
-netlink_unicast(init_user_ns.audit.sock, reply->skb,
+netlink_unicast(reply->ns->audit.sock, reply->skb,
 reply->pid, 0);
+put_user_ns(reply->ns);
 kfree(reply);
 return 0;
 }
< at >< at > -572,11 +574,1

[PATCH 17/22] Audit: make audit_backlog_wait per user namespace

Gao feng — 2013-06-19T01:53:49

Tasks are added to audit_backlog_wait when the
audit_skb_queue of user namespace is full, so
audit_backlog_wait should be per user namespace too.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/user_namespace.h |  1 +
 kernel/audit.c                 | 11 +++++------
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 28938f3..c186a84 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
< at >< at > -29,6 +29,7 < at >< at > struct audit_ctrl {
 struct sk_buff_headhold_queue;
 struct task_struct*kauditd_task;
 wait_queue_head_tkauditd_wait;
+wait_queue_head_tbacklog_wait;
 boolever_enabled;
 };
 #endif
diff --git a/kernel/audit.c b/kernel/audit.c
index e3d7da7..3dcaa97 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -119,8 +119,6 < at >< at > static DEFINE_SPINLOCK(audit_freelist_lock);
 static int   audit_freelist_count;
 static LIST_HEAD(audit_freelist);
 
-static DEC

[PATCH 18/22] Audit: introduce new audit logging interface for usernamespace

Gao feng — 2013-06-19T01:53:50

This interface audit_log_start_ns and audit_log_end_ns
will be used for logging audit logs in user namespace.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/audit.h | 25 ++++++++++++--
 kernel/audit.c        | 95 ++++++++++++++++++++++++++++++---------------------
 2 files changed, 78 insertions(+), 42 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index cc30db9..b64f268 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
< at >< at > -404,10 +404,18 < at >< at > extern __printf(4, 5)
 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
        const char *fmt, ...);
 
-extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern struct audit_buffer *
+audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+
+extern struct audit_buffer *
+audit_log_start_ns(struct user_namespace *ns, struct audit_context *ctx,
+   gfp_t gfp_mask, int type);
+
 extern __printf(2, 3)
 v

[PATCH 13/22] Audit: only allow init user namespace to change ratelimit

Gao feng — 2013-06-19T01:53:45

Because We want to avoid the DoS attack caused by other user
namespace,so don't make audit_rate_limit per user namespace.
And only init user namespace has rights to change it.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/audit.c b/kernel/audit.c
index 0b9cef2..306231d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -295,6 +295,9 < at >< at > static int audit_do_config_change(char *function_name, int *to_change, int new)
 
 static int audit_set_rate_limit(int limit)
 {
+if (current_user_ns() != &init_user_ns)
+return -EPERM;
+
 return audit_do_config_change("audit_rate_limit", &audit_rate_limit, limit);
 }

[PATCH 12/22] Audit: make audit_initialized per user namespace

Gao feng — 2013-06-19T01:53:44

audit_initialized is used to identify if the audit
related resources have been initialized. it should
be per user namespace too.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/user_namespace.h |  1 +
 kernel/audit.c                 | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index a2c0a79..c665569 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
< at >< at > -21,6 +21,7 < at >< at > struct uid_gid_map {/* 64 bytes -- 1 cache line */
 #ifdef CONFIG_AUDIT
 struct audit_ctrl {
 struct sock*sock;
+intinitialized;
 intenabled;
 intpid;
 intportid;
diff --git a/kernel/audit.c b/kernel/audit.c
index 923fe27..0b9cef2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -68,12 +68,12 < at >< at >
 
 #include "audit.h"
 
-/* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
+/* No auditing will take place until user

[PATCH 16/22] Audit: make kauditd_wait per user namespace

Gao feng — 2013-06-19T01:53:48

kauditd_task is added to the wait queue kaudit_wait when
there is no audit message being generated in user namespace,
so the kaudit_wait should be per user namespace too.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/user_namespace.h |  1 +
 kernel/audit.c                 | 36 ++++++++++++++++++------------------
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index c665569..28938f3 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
< at >< at > -28,6 +28,7 < at >< at > struct audit_ctrl {
 struct sk_buff_headqueue;
 struct sk_buff_headhold_queue;
 struct task_struct*kauditd_task;
+wait_queue_head_tkauditd_wait;
 boolever_enabled;
 };
 #endif
diff --git a/kernel/audit.c b/kernel/audit.c
index 297ac6e..e3d7da7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -119,7 +119,6 < at >< at > static DEFINE_SPINLOCK(audit_freelist_lock);
 static int   audit_freelist_count;

[PATCH 15/22] Audit: only allow init user namespace to changebacklog_limit

Gao feng — 2013-06-19T01:53:47

Prevent un-init user namespace from generating lots of skb.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/audit.c b/kernel/audit.c
index 79a8b8e..297ac6e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -303,6 +303,9 < at >< at > static int audit_set_rate_limit(int limit)
 
 static int audit_set_backlog_limit(int limit)
 {
+if (current_user_ns() != &init_user_ns)
+return -EPERM;
+
 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
 }

[PATCH 14/22] Audit: only allow init user namespace to changeaudit_failure

Gao feng — 2013-06-19T01:53:46

Setting audit_failure to AUDIT_FAIL_PANIC may
cause system panic.

We should disallow uninit user namesapce to change it.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/audit.c b/kernel/audit.c
index 306231d..79a8b8e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -327,6 +327,9 < at >< at > static int audit_set_failure(int state)
     && state != AUDIT_FAIL_PANIC)
 return -EINVAL;
 
+if (current_user_ns() != &init_user_ns)
+return -EPERM;
+
 return audit_do_config_change("audit_failure", &audit_failure, state);
 }

[PATCH 04/22] netlink: Add compare function for netlink_table

Gao feng — 2013-06-19T01:53:36

As we know, netlink sockets are private resource of
net namespace, they can communicate with each other
only when they in the same net namespace. this works
well until we try to add namespace support for other
subsystems which use netlink.

Don't like ipv4 and route table.., it is not suited to
make these subsytems belong to net namespace, Such as
audit and crypto subsystems,they are more suitable to
user namespace.

So we must have the ability to make the netlink sockets
in same user namespace can communicate with each other.

This patch adds a new function pointer "compare" for
netlink_table, we can decide if the netlink sockets can
communicate with each other through this netlink_table
self-defined compare function.

The behavior isn't changed if we don't provide the compare
function for netlink_table.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/netlink.h  |  1 +
 net/netlink/af_netlink.c | 32 ++++++++++++++++++++++++--------
 net/netlink/af_netlink.h |  1

[Part1 PATCH 00/22] Add namespace support for audit

Gao feng — 2013-06-19T01:53:32

This patchset is first part of namespace support for audit.
in this patchset, the mainly resources of audit system have
been isolated. the audit filter, rules havn't been isolated
now. It will be implemented in Part2. We finished the isolation
of user audit message in this patchset.

I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, And since the flag of system
call clone is in short supply, we can't provide a new flag such
as CLONE_NEWAUDIT to enable audit namespace separately. so the
user namespace may be the best choice.

[Patch 4/21] add a compare function pointer for netlink table,
so audit subsystem can use it's self-defined compare function
to make sure audit netlink sockets can communicate with each
other when they in the same user namespace. this patch has been
merged into David's net-next tree.

There is one

[PATCH 03/22] Audit: make audit kernel side netlink sock per userns

Gao feng — 2013-06-19T01:53:35

This patch try to make the audit_sock per user namespace,
not global.

Since sock is assigned to net namespace, when creating
a netns, we will allocate a audit_sock for the userns
which create this netns, and this netns will keep alive
until the creator userns being destroyed.

If userns creates many netns, the audit_sock is only
allocated once.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/audit.h          |   5 +++
 include/linux/user_namespace.h |   9 ++++
 kernel/audit.c                 | 100 +++++++++++++++++++++++++++++++----------
 kernel/user_namespace.c        |   2 +
 4 files changed, 93 insertions(+), 23 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index b20b038..85f9d7f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
< at >< at > -439,6 +439,8 < at >< at > extern int audit_log_task_context(struct audit_buffer *ab);
 extern void audit_log_task_info(struct audit_buffer *ab,
 struct task_struct *tsk);
 
+extern void    audi

[PATCH 01/22] Audit: change type of audit_ever_enabled to bool

Gao feng — 2013-06-19T01:53:33

It's better to define audit_ever_enabled as bool.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 2 +-
 kernel/audit.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..ad3084c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -78,7 +78,7 < at >< at > static intaudit_initialized;
 #define AUDIT_ON1
 #define AUDIT_LOCKED2
 intaudit_enabled;
-intaudit_ever_enabled;
+boolaudit_ever_enabled;
 
 EXPORT_SYMBOL_GPL(audit_enabled);
 
diff --git a/kernel/audit.h b/kernel/audit.h
index 1c95131..2258827 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
< at >< at > -205,7 +205,7 < at >< at > struct audit_context {
 #endif
 };
 
-extern int audit_ever_enabled;
+extern bool audit_ever_enabled;
 
 extern void audit_copy_inode(struct audit_names *name,
      const struct dentry *dentry,

[PATCH 11/22] Audit: make audit_ever_enabled per user namespace

Gao feng — 2013-06-19T01:53:43

We set audit_ever_enabled true after we enabled audit once.
and if audit_ever_enabled is true, we will allocate audit
context for task.

We should decide if to allocate audit context for tasks based on
if the audit is enabled once in the user namespace which the
task belongs to.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/user_namespace.h | 1 +
 kernel/audit.c                 | 7 +++----
 kernel/auditsc.c               | 5 ++++-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 9972f0f..a2c0a79 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
< at >< at > -27,6 +27,7 < at >< at > struct audit_ctrl {
 struct sk_buff_headqueue;
 struct sk_buff_headhold_queue;
 struct task_struct*kauditd_task;
+boolever_enabled;
 };
 #endif
 
diff --git a/kernel/audit.c b/kernel/audit.c
index 758b1e8..923fe27 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -78,7 +78,6 < at >< at >

[PATCH 08/22] Audit: make kauditd_task per user namespace

Gao feng — 2013-06-19T01:53:40

This patch makes kauditd_task per user namespace,
Since right now we only allow user in init user
namesapce to send audit netlink message to kernel,
so actually the kauditd_task belongs to other user
namespace will still not run.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/audit.h          |  1 +
 include/linux/user_namespace.h | 15 +++++++++--
 kernel/audit.c                 | 58 ++++++++++++++++++++++++++----------------
 kernel/audit.h                 |  5 ++--
 kernel/auditsc.c               |  6 ++---
 5 files changed, 55 insertions(+), 30 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 6720901..179351d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
< at >< at > -26,6 +26,7 < at >< at >
 #include <linux/sched.h>
 #include <linux/ptrace.h>
 #include <uapi/linux/audit.h>
+#include <linux/user_namespace.h>
 
 struct audit_sig_info {
 uid_tuid;
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 53

[PATCH 02/22] Audit: remove duplicate comments

Gao feng — 2013-06-19T01:53:34

Remove it.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 kernel/audit.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index ad3084c..843e7a2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -1067,13 +1067,6 < at >< at > static void wait_for_auditd(unsigned long sleep_time)
 remove_wait_queue(&audit_backlog_wait, &wait);
 }
 
-/* Obtain an audit buffer.  This routine does locking to obtain the
- * audit buffer, but then no locking is required for calls to
- * audit_log_*format.  If the tsk is a task that is currently in a
- * syscall, then the syscall is marked as auditable and an audit record
- * will be written at syscall exit.  If there is no associated task, tsk
- * should be NULL. */
-
 /**
  * audit_log_start - obtain an audit buffer
  * < at >ctx: audit_context (may be NULL)

[PATCH 07/22] Audit: make audit_skb_hold_queue per user namespace

Gao feng — 2013-06-19T01:53:39

After this patch, ervery user namespace has one
audit_skb_hold_queue. Since we havn't finish the
preparations, only allow user to operate the skb
hold queue of init user namespace.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/user_namespace.h |  1 +
 kernel/audit.c                 | 16 +++++++++-------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index e322f20..53420a4 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
< at >< at > -22,6 +22,7 < at >< at > struct uid_gid_map {/* 64 bytes -- 1 cache line */
 struct audit_ctrl {
 struct sock*sock;
 struct sk_buff_headqueue;
+struct sk_buff_headhold_queue;
 };
 #endif
 
diff --git a/kernel/audit.c b/kernel/audit.c
index e2f6366..75325f0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
< at >< at > -131,8 +131,6 < at >< at > static DEFINE_SPINLOCK(audit_freelist_lock);
 static int   audit_freelist_count;
 static LIST_HEAD(audit_free

[PATCH 06/22] Audit: make audit_skb_queue per user namespace

Gao feng — 2013-06-19T01:53:38

After this patch, ervery user namespace has one
audit_skb_queue. Since we havn't finish the preparations,
only allow user to operate the skb queue of init user
namespace.

Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A< at >public.gmane.org>
---
 include/linux/audit.h          |  4 ++++
 include/linux/user_namespace.h |  2 ++
 kernel/audit.c                 | 34 +++++++++++++++++++++++++---------
 kernel/user_namespace.c        |  1 +
 4 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 85f9d7f..6720901 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
< at >< at > -439,6 +439,7 < at >< at > extern int audit_log_task_context(struct audit_buffer *ab);
 extern void audit_log_task_info(struct audit_buffer *ab,
 struct task_struct *tsk);
 
+extern void    audit_set_user_ns(struct user_namespace *ns);
 extern void    audit_free_user_ns(struct user_namespace *ns);
 
 extern int    audit_update_lsm_rules(void);
< at >< at > -495,6 +496,9 < at >< at > static inline