audit: since nspawn now sets CAP_AUDIT_CONTROL for containers we cannot user this...

As audit is still broken in containers we need a reliable way how we can
determine whether the audit data we read from 7proc is actually useful.
Previously we used CAP_AUDIT_CONTROL for this, since nspawn removed that
from the nspawn container. This has changed a while back however, which
means we used audit data of host system in the container.

This adds an explicit container check to the audit calls, so that all
audit data is turned off in containers.

This should fix session creation with pam_systemd/logind in nspawn containers.

diff --git a/src/shared/audit.c b/src/shared/audit.c
index 138ca1d7fac902bb6bfee4b5dfdc210ebceb7ac6..97560cc9a3f462e9461b250914baf8778af16294 100644 (file)
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -34,6 +34,7 @@
 #include "util.h"
 #include "log.h"
 #include "fileio.h"
+#include "virt.h"
 
 int audit_session_from_pid(pid_t pid, uint32_t *id) {
         char *s;
@@ -45,6 +46,10 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) {
         if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
                 return -ENOENT;
 
+        /* Audit doesn't support containers right now */
+        if (detect_container(NULL) > 0)
+                return -ENOTSUP;
+
         if (pid == 0)
                 r = read_one_line_file("/proc/self/sessionid", &s);
         else {
@@ -90,6 +95,10 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
         if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
                 return -ENOENT;
 
+        /* Audit doesn't support containers right now */
+        if (detect_container(NULL) > 0)
+                return -ENOTSUP;
+
         if (pid == 0)
                 r = read_one_line_file("/proc/self/loginuid", &s);
         else {