summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-12 02:52:39 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-12 03:02:09 +0100
commitdb999e0f923ca6c2c1b919d0f1c916472f209e62 (patch)
tree16787cf5dd7258402b56082556e0c03594aec0ed
parentdd513a5dbfa0d5f97084c7c8e475530a03cfd973 (diff)
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
-rw-r--r--man/systemd-nspawn.xml13
-rw-r--r--src/nspawn/nspawn.c46
-rw-r--r--src/shared/audit.c8
3 files changed, 32 insertions, 35 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 9d8db83e81..8f92b84304 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -144,19 +144,6 @@
</refsect1>
<refsect1>
- <title>Incompatibility with Auditing</title>
-
- <para>Note that the kernel auditing subsystem is
- currently broken when used together with
- containers. We hence recommend turning it off entirely
- by booting with <literal>audit=0</literal> on the
- kernel command line, or by turning it off at kernel
- build time. If auditing is enabled in the kernel,
- operating systems booted in an nspawn container might
- refuse log-in attempts.</para>
- </refsect1>
-
- <refsect1>
<title>Options</title>
<para>If option <option>-b</option> is specified, the
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 97ef6c799d..d5add4a45e 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1198,15 +1198,37 @@ static int terminate_machine(pid_t pid) {
return 0;
}
-static bool audit_enabled(void) {
- int fd;
+static int reset_audit_loginuid(void) {
+ _cleanup_free_ char *p = NULL;
+ int r;
+
+ if (arg_share_system)
+ return 0;
+
+ r = read_one_line_file("/proc/self/loginuid", &p);
+ if (r == -EEXIST)
+ return 0;
+ if (r < 0) {
+ log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
+ return r;
+ }
+
+ /* Already reset? */
+ if (streq(p, "4294967295"))
+ return 0;
+
+ r = write_string_file("/proc/self/loginuid", "4294967295");
+ if (r < 0) {
+ log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
+ "old and you have audit enabled. Note that the auditing subsystem is known to\n"
+ "be incompatible with containers on old kernels. Please make sure to upgrade\n"
+ "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
+ "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
- fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
- if (fd >= 0) {
- close_nointr_nofail(fd);
- return true;
+ sleep(5);
}
- return false;
+
+ return 0;
}
int main(int argc, char *argv[]) {
@@ -1271,13 +1293,6 @@ int main(int argc, char *argv[]) {
goto finish;
}
- if (arg_boot && audit_enabled()) {
- log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
- "Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
- "line before using systemd-nspawn. Sleeping for 5s...\n");
- sleep(5);
- }
-
if (path_equal(arg_directory, "/")) {
log_error("Spawning container on root directory not supported.");
goto finish;
@@ -1436,6 +1451,9 @@ int main(int argc, char *argv[]) {
goto child_fail;
}
+ if (reset_audit_loginuid() < 0)
+ goto child_fail;
+
if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
log_error("PR_SET_PDEATHSIG failed: %m");
goto child_fail;
diff --git a/src/shared/audit.c b/src/shared/audit.c
index 8038ac3c12..5466447737 100644
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -42,10 +42,6 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) {
assert(id);
- /* Audit doesn't support containers right now */
- if (detect_container(NULL) > 0)
- return -ENOTSUP;
-
p = procfs_file_alloca(pid, "sessionid");
r = read_one_line_file(p, &s);
@@ -71,10 +67,6 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
assert(uid);
- /* Audit doesn't support containers right now */
- if (detect_container(NULL) > 0)
- return -ENOTSUP;
-
p = procfs_file_alloca(pid, "loginuid");
r = read_one_line_file(p, &s);