diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-12 02:52:39 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-12 03:02:09 +0100 |
| commit | db999e0f923ca6c2c1b919d0f1c916472f209e62 (patch) | |
| tree | 16787cf5dd7258402b56082556e0c03594aec0ed | |
| parent | dd513a5dbfa0d5f97084c7c8e475530a03cfd973 (diff) | |
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
| -rw-r--r-- | man/systemd-nspawn.xml | 13 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 46 | ||||
| -rw-r--r-- | src/shared/audit.c | 8 |
3 files changed, 32 insertions, 35 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 9d8db83e81..8f92b84304 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -144,19 +144,6 @@ </refsect1> <refsect1> - <title>Incompatibility with Auditing</title> - - <para>Note that the kernel auditing subsystem is - currently broken when used together with - containers. We hence recommend turning it off entirely - by booting with <literal>audit=0</literal> on the - kernel command line, or by turning it off at kernel - build time. If auditing is enabled in the kernel, - operating systems booted in an nspawn container might - refuse log-in attempts.</para> - </refsect1> - - <refsect1> <title>Options</title> <para>If option <option>-b</option> is specified, the diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 97ef6c799d..d5add4a45e 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1198,15 +1198,37 @@ static int terminate_machine(pid_t pid) { return 0; } -static bool audit_enabled(void) { - int fd; +static int reset_audit_loginuid(void) { + _cleanup_free_ char *p = NULL; + int r; + + if (arg_share_system) + return 0; + + r = read_one_line_file("/proc/self/loginuid", &p); + if (r == -EEXIST) + return 0; + if (r < 0) { + log_error("Failed to read /proc/self/loginuid: %s", strerror(-r)); + return r; + } + + /* Already reset? */ + if (streq(p, "4294967295")) + return 0; + + r = write_string_file("/proc/self/loginuid", "4294967295"); + if (r < 0) { + log_error("Failed to reset audit login UID. This probably means that your kernel is too\n" + "old and you have audit enabled. Note that the auditing subsystem is known to\n" + "be incompatible with containers on old kernels. Please make sure to upgrade\n" + "your kernel or to off auditing with 'audit=0' on the kernel command line before\n" + "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r)); - fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); - if (fd >= 0) { - close_nointr_nofail(fd); - return true; + sleep(5); } - return false; + + return 0; } int main(int argc, char *argv[]) { @@ -1271,13 +1293,6 @@ int main(int argc, char *argv[]) { goto finish; } - if (arg_boot && audit_enabled()) { - log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n" - "Please make sure to turn off auditing with 'audit=0' on the kernel command\n" - "line before using systemd-nspawn. Sleeping for 5s...\n"); - sleep(5); - } - if (path_equal(arg_directory, "/")) { log_error("Spawning container on root directory not supported."); goto finish; @@ -1436,6 +1451,9 @@ int main(int argc, char *argv[]) { goto child_fail; } + if (reset_audit_loginuid() < 0) + goto child_fail; + if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) { log_error("PR_SET_PDEATHSIG failed: %m"); goto child_fail; diff --git a/src/shared/audit.c b/src/shared/audit.c index 8038ac3c12..5466447737 100644 --- a/src/shared/audit.c +++ b/src/shared/audit.c @@ -42,10 +42,6 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) { assert(id); - /* Audit doesn't support containers right now */ - if (detect_container(NULL) > 0) - return -ENOTSUP; - p = procfs_file_alloca(pid, "sessionid"); r = read_one_line_file(p, &s); @@ -71,10 +67,6 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) { assert(uid); - /* Audit doesn't support containers right now */ - if (detect_container(NULL) > 0) - return -ENOTSUP; - p = procfs_file_alloca(pid, "loginuid"); r = read_one_line_file(p, &s); |