summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-04-15 21:55:12 +0200
committerLennart Poettering <lennart@poettering.net>2013-04-15 21:59:04 +0200
commit9a3ef988b8442360500e7df4db3ff27d2f13de10 (patch)
tree29712050075a0c7ba805a8be01ccda3a6634c5be
parent7a9ec5c9027d919839ab6e286ede753caa164241 (diff)
audit: since nspawn now sets CAP_AUDIT_CONTROL for containers we cannot user this anymore to skip audit session ID retrieval
As audit is still broken in containers we need a reliable way how we can determine whether the audit data we read from 7proc is actually useful. Previously we used CAP_AUDIT_CONTROL for this, since nspawn removed that from the nspawn container. This has changed a while back however, which means we used audit data of host system in the container. This adds an explicit container check to the audit calls, so that all audit data is turned off in containers. This should fix session creation with pam_systemd/logind in nspawn containers.
-rw-r--r--src/shared/audit.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/shared/audit.c b/src/shared/audit.c
index 138ca1d7fa..97560cc9a3 100644
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -34,6 +34,7 @@
#include "util.h"
#include "log.h"
#include "fileio.h"
+#include "virt.h"
int audit_session_from_pid(pid_t pid, uint32_t *id) {
char *s;
@@ -45,6 +46,10 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) {
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
+ /* Audit doesn't support containers right now */
+ if (detect_container(NULL) > 0)
+ return -ENOTSUP;
+
if (pid == 0)
r = read_one_line_file("/proc/self/sessionid", &s);
else {
@@ -90,6 +95,10 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
+ /* Audit doesn't support containers right now */
+ if (detect_container(NULL) > 0)
+ return -ENOTSUP;
+
if (pid == 0)
r = read_one_line_file("/proc/self/loginuid", &s);
else {