[systemd-commits] man/systemd-nspawn.xml src/nspawn src/shared

Lennart Poettering lennart at kemper.freedesktop.org
Tue Feb 11 18:03:06 PST 2014


 man/systemd-nspawn.xml |   13 -------------
 src/nspawn/nspawn.c    |   46 ++++++++++++++++++++++++++++++++--------------
 src/shared/audit.c     |    8 --------
 3 files changed, 32 insertions(+), 35 deletions(-)

New commits:
commit db999e0f923ca6c2c1b919d0f1c916472f209e62
Author: Lennart Poettering <lennart at poettering.net>
Date:   Wed Feb 12 02:52:39 2014 +0100

    nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 9d8db83..8f92b84 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -144,19 +144,6 @@
         </refsect1>
 
         <refsect1>
-                <title>Incompatibility with Auditing</title>
-
-                <para>Note that the kernel auditing subsystem is
-                currently broken when used together with
-                containers. We hence recommend turning it off entirely
-                by booting with <literal>audit=0</literal> on the
-                kernel command line, or by turning it off at kernel
-                build time. If auditing is enabled in the kernel,
-                operating systems booted in an nspawn container might
-                refuse log-in attempts.</para>
-        </refsect1>
-
-        <refsect1>
                 <title>Options</title>
 
                 <para>If option <option>-b</option> is specified, the
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 97ef6c7..d5add4a 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1198,15 +1198,37 @@ static int terminate_machine(pid_t pid) {
         return 0;
 }
 
-static bool audit_enabled(void) {
-        int fd;
+static int reset_audit_loginuid(void) {
+        _cleanup_free_ char *p = NULL;
+        int r;
+
+        if (arg_share_system)
+                return 0;
+
+        r = read_one_line_file("/proc/self/loginuid", &p);
+        if (r == -EEXIST)
+                return 0;
+        if (r < 0) {
+                log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
+                return r;
+        }
+
+        /* Already reset? */
+        if (streq(p, "4294967295"))
+                return 0;
+
+        r = write_string_file("/proc/self/loginuid", "4294967295");
+        if (r < 0) {
+                log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
+                          "old and you have audit enabled. Note that the auditing subsystem is known to\n"
+                          "be incompatible with containers on old kernels. Please make sure to upgrade\n"
+                          "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
+                          "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
 
-        fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
-        if (fd >= 0) {
-                close_nointr_nofail(fd);
-                return true;
+                sleep(5);
         }
-        return false;
+
+        return 0;
 }
 
 int main(int argc, char *argv[]) {
@@ -1271,13 +1293,6 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
-        if (arg_boot && audit_enabled()) {
-                log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n"
-                            "Please make sure to turn off auditing with 'audit=0' on the kernel command\n"
-                            "line before using systemd-nspawn. Sleeping for 5s...\n");
-                sleep(5);
-        }
-
         if (path_equal(arg_directory, "/")) {
                 log_error("Spawning container on root directory not supported.");
                 goto finish;
@@ -1436,6 +1451,9 @@ int main(int argc, char *argv[]) {
                                 goto child_fail;
                         }
 
+                        if (reset_audit_loginuid() < 0)
+                                goto child_fail;
+
                         if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
                                 log_error("PR_SET_PDEATHSIG failed: %m");
                                 goto child_fail;
diff --git a/src/shared/audit.c b/src/shared/audit.c
index 8038ac3..5466447 100644
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -42,10 +42,6 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) {
 
         assert(id);
 
-        /* Audit doesn't support containers right now */
-        if (detect_container(NULL) > 0)
-                return -ENOTSUP;
-
         p = procfs_file_alloca(pid, "sessionid");
 
         r = read_one_line_file(p, &s);
@@ -71,10 +67,6 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
 
         assert(uid);
 
-        /* Audit doesn't support containers right now */
-        if (detect_container(NULL) > 0)
-                return -ENOTSUP;
-
         p = procfs_file_alloca(pid, "loginuid");
 
         r = read_one_line_file(p, &s);



More information about the systemd-commits mailing list