diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-12 02:52:39 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-12 03:02:09 +0100 |
| commit | db999e0f923ca6c2c1b919d0f1c916472f209e62 (patch) | |
| tree | 16787cf5dd7258402b56082556e0c03594aec0ed /src | |
| parent | dd513a5dbfa0d5f97084c7c8e475530a03cfd973 (diff) | |
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
Diffstat (limited to 'src')
| -rw-r--r-- | src/nspawn/nspawn.c | 46 | ||||
| -rw-r--r-- | src/shared/audit.c | 8 |
2 files changed, 32 insertions, 22 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 97ef6c799d..d5add4a45e 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1198,15 +1198,37 @@ static int terminate_machine(pid_t pid) { return 0; } -static bool audit_enabled(void) { - int fd; +static int reset_audit_loginuid(void) { + _cleanup_free_ char *p = NULL; + int r; + + if (arg_share_system) + return 0; + + r = read_one_line_file("/proc/self/loginuid", &p); + if (r == -EEXIST) + return 0; + if (r < 0) { + log_error("Failed to read /proc/self/loginuid: %s", strerror(-r)); + return r; + } + + /* Already reset? */ + if (streq(p, "4294967295")) + return 0; + + r = write_string_file("/proc/self/loginuid", "4294967295"); + if (r < 0) { + log_error("Failed to reset audit login UID. This probably means that your kernel is too\n" + "old and you have audit enabled. Note that the auditing subsystem is known to\n" + "be incompatible with containers on old kernels. Please make sure to upgrade\n" + "your kernel or to off auditing with 'audit=0' on the kernel command line before\n" + "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r)); - fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); - if (fd >= 0) { - close_nointr_nofail(fd); - return true; + sleep(5); } - return false; + + return 0; } int main(int argc, char *argv[]) { @@ -1271,13 +1293,6 @@ int main(int argc, char *argv[]) { goto finish; } - if (arg_boot && audit_enabled()) { - log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n" - "Please make sure to turn off auditing with 'audit=0' on the kernel command\n" - "line before using systemd-nspawn. Sleeping for 5s...\n"); - sleep(5); - } - if (path_equal(arg_directory, "/")) { log_error("Spawning container on root directory not supported."); goto finish; @@ -1436,6 +1451,9 @@ int main(int argc, char *argv[]) { goto child_fail; } + if (reset_audit_loginuid() < 0) + goto child_fail; + if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) { log_error("PR_SET_PDEATHSIG failed: %m"); goto child_fail; diff --git a/src/shared/audit.c b/src/shared/audit.c index 8038ac3c12..5466447737 100644 --- a/src/shared/audit.c +++ b/src/shared/audit.c @@ -42,10 +42,6 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) { assert(id); - /* Audit doesn't support containers right now */ - if (detect_container(NULL) > 0) - return -ENOTSUP; - p = procfs_file_alloca(pid, "sessionid"); r = read_one_line_file(p, &s); @@ -71,10 +67,6 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) { assert(uid); - /* Audit doesn't support containers right now */ - if (detect_container(NULL) > 0) - return -ENOTSUP; - p = procfs_file_alloca(pid, "loginuid"); r = read_one_line_file(p, &s); |