From: Lennart Poettering Date: Wed, 12 Feb 2014 01:52:39 +0000 (+0100) Subject: nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this X-Git-Tag: v209~175 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=db999e0f923ca6c2c1b919d0f1c916472f209e62 nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this --- diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 9d8db83e8..8f92b8430 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -143,19 +143,6 @@ contain this file out-of-the-box. - - Incompatibility with Auditing - - Note that the kernel auditing subsystem is - currently broken when used together with - containers. We hence recommend turning it off entirely - by booting with audit=0 on the - kernel command line, or by turning it off at kernel - build time. If auditing is enabled in the kernel, - operating systems booted in an nspawn container might - refuse log-in attempts. - - Options diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 97ef6c799..d5add4a45 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1198,15 +1198,37 @@ static int terminate_machine(pid_t pid) { return 0; } -static bool audit_enabled(void) { - int fd; +static int reset_audit_loginuid(void) { + _cleanup_free_ char *p = NULL; + int r; + + if (arg_share_system) + return 0; + + r = read_one_line_file("/proc/self/loginuid", &p); + if (r == -EEXIST) + return 0; + if (r < 0) { + log_error("Failed to read /proc/self/loginuid: %s", strerror(-r)); + return r; + } + + /* Already reset? */ + if (streq(p, "4294967295")) + return 0; + + r = write_string_file("/proc/self/loginuid", "4294967295"); + if (r < 0) { + log_error("Failed to reset audit login UID. This probably means that your kernel is too\n" + "old and you have audit enabled. Note that the auditing subsystem is known to\n" + "be incompatible with containers on old kernels. Please make sure to upgrade\n" + "your kernel or to off auditing with 'audit=0' on the kernel command line before\n" + "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r)); - fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); - if (fd >= 0) { - close_nointr_nofail(fd); - return true; + sleep(5); } - return false; + + return 0; } int main(int argc, char *argv[]) { @@ -1271,13 +1293,6 @@ int main(int argc, char *argv[]) { goto finish; } - if (arg_boot && audit_enabled()) { - log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n" - "Please make sure to turn off auditing with 'audit=0' on the kernel command\n" - "line before using systemd-nspawn. Sleeping for 5s...\n"); - sleep(5); - } - if (path_equal(arg_directory, "/")) { log_error("Spawning container on root directory not supported."); goto finish; @@ -1436,6 +1451,9 @@ int main(int argc, char *argv[]) { goto child_fail; } + if (reset_audit_loginuid() < 0) + goto child_fail; + if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) { log_error("PR_SET_PDEATHSIG failed: %m"); goto child_fail; diff --git a/src/shared/audit.c b/src/shared/audit.c index 8038ac3c1..546644773 100644 --- a/src/shared/audit.c +++ b/src/shared/audit.c @@ -42,10 +42,6 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) { assert(id); - /* Audit doesn't support containers right now */ - if (detect_container(NULL) > 0) - return -ENOTSUP; - p = procfs_file_alloca(pid, "sessionid"); r = read_one_line_file(p, &s); @@ -71,10 +67,6 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) { assert(uid); - /* Audit doesn't support containers right now */ - if (detect_container(NULL) > 0) - return -ENOTSUP; - p = procfs_file_alloca(pid, "loginuid"); r = read_one_line_file(p, &s);