summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorTomáš Janoušek <tomi@nomi.cz>2016-09-16 01:26:31 +0200
committerEvgeny Vereshchagin <evvers@ya.ru>2016-09-16 02:26:31 +0300
commit7dabbb55a8744a43ec869839ef371b184c8d2ffe (patch)
tree98604277ead34bb6f15cfeef1e94e481246c514e /src
parent390e02073514cc6972aa8bc5f10d974c226ecbcb (diff)
logind: fix /run/user/$UID creation in apparmor-confined containers (#4154)
When a docker container is confined with AppArmor [1] and happens to run on top of a kernel that supports mount mediation [2], e.g. any Ubuntu kernel, mount(2) returns EACCES instead of EPERM. This then leads to: systemd-logind[33]: Failed to mount per-user tmpfs directory /run/user/1000: Permission denied login[42]: pam_systemd(login:session): Failed to create session: Access denied and user sessions don't start. This also applies to selinux that too returns EACCES on mount denial. [1] https://github.com/docker/docker/blob/master/docs/security/apparmor.md#understand-the-policies [2] http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/kernel-patches/4.7/0025-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
Diffstat (limited to 'src')
-rw-r--r--src/login/logind-user.c6
1 files changed, 2 insertions, 4 deletions
diff --git a/src/login/logind-user.c b/src/login/logind-user.c
index e0e73b034d..2dc5fa7665 100644
--- a/src/login/logind-user.c
+++ b/src/login/logind-user.c
@@ -354,14 +354,12 @@ static int user_mkdir_runtime_path(User *u) {
r = mount("tmpfs", u->runtime_path, "tmpfs", MS_NODEV|MS_NOSUID, t);
if (r < 0) {
- if (errno != EPERM) {
+ if (errno != EPERM && errno != EACCES) {
r = log_error_errno(errno, "Failed to mount per-user tmpfs directory %s: %m", u->runtime_path);
goto fail;
}
- /* Lacking permissions, maybe
- * CAP_SYS_ADMIN-less container? In this case,
- * just use a normal directory. */
+ log_debug_errno(errno, "Failed to mount per-user tmpfs directory %s, assuming containerized execution, ignoring: %m", u->runtime_path);
r = chmod_and_chown(u->runtime_path, 0700, u->uid, u->gid);
if (r < 0) {