[systemd-devel] [PATCH] journal: don't complain about audit socket errors in a container.

Mon Apr 20 11:38:18 PDT 2015

On Wed, 15.04.15 00:22, Frank Thalberg (frankthalberg at ruggedinbox.com) wrote:

> > nspawn at least grants audit caps to containers. If you don't grant
> > audit caps you cannot boot distros like Fedora at all, since much of
> > the PAM audit code in Fedora is written to fail completely if audit
> > is on in the kernel, but cannot be used.
> 
> My first impression was that container/namespaces aren't supported
> inside the audit kernel code at all.  

Yes. Which is why we suggest to either specify audit=0 on the kernel
cmdline, or (on x86-64 only) mask the audit support away via seccomp
in nspawn.

Is this on 32bit userspace or something like that? Or on non-x86 or so?

> I still have to butt in though.  There are 2 issues here at hand. 
> 
> The first one: It doesn't look to me like the audit subsystem within the
> kernel is ready for namespaces.  They aren't directly rejected but I
> can't see any measurements to separate namespaces.  It would be quiet
> unfortunate if processes within a namespace could receive audit events
> from another namespace. 

Yes. audit is broken.

> The second problem is rather simple: it seems libcap currently doesn't
> understand the CAP_AUDIT_READ value so passing it to the --capability=
> option is not an (easy) option.

Hmm, we actually don't use libcap for converting the caps to strings
anymore. it should just work.

However, CAP_AUDIT_READ is among the default caps we pass, this should
hence be unnecessary anyway.

> Given that I would suggest to treat the whole audit subsystem to be
> optional and don't fail too hard if it can't be used. Unfortunately
> pre-built packages can't offer the option to configure this
> behavior.

Well, sure, I am all for making audit optional. I am just wondering
why this precise error happens for you even though I have never seen
it like this elsewhere...

> > Hmm, exluding the audit code from the build if HAVE_AUDIT is not set
> > is certainly a good idea, but we generally try to keep #ifdeffery out
> > of .c files. More specifically, the journald-audit.c file should not
> > be compiled and linked at all on non-audit builds, and
> > journald-audit.h should contain the #ifdeffery that causes
> > server_open_audit() to become a NOP on such builds. Would be happy to
> > take a patch for that.
> 
> Can't agree more with you here.  Your solution to the problem is a
> little more work than I was initially willing to invest into the
> problem.  I'll gladly provide a better patch for this given the
> the interest in handling this.

I'd be happy to merge a patch like this!

Thanks,

Lennart

-- 
Lennart Poettering, Red Hat