[systemd-commits] Makefile.am src/nspawn

Thu Feb 13 20:31:13 CET 2014

Makefile.am         |    3 +-
 src/nspawn/nspawn.c |   58 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 1 deletion(-)

New commits:
commit 24fb111207566f3bb33c6438714fb5df44ed4305
Author: Lennart Poettering <lennart at poettering.net>
Date:   Thu Feb 13 20:30:02 2014 +0100

    nspawn: make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOTSUPPORT in containers
    
    The kernel still doesn't support audit in containers, so let's make use
    of seccomp and simply turn it off entirely. We can get rid of this big
    as soon as the kernel is fixed again.

diff --git a/Makefile.am b/Makefile.am
index 61d678f..181b346 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1850,7 +1850,8 @@ systemd_nspawn_LDADD = \
 	libsystemd-internal.la \
 	libsystemd-daemon-internal.la \
 	libudev-internal.la \
-	libsystemd-shared.la
+	libsystemd-shared.la \
+	$(SECCOMP_LIBS)
 
 # ------------------------------------------------------------------------------
 systemd_run_SOURCES = \
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index b4c5a54..3a6d428 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -49,6 +49,10 @@
 #include <selinux/selinux.h>
 #endif
 
+#ifdef HAVE_SECCOMP
+#include <seccomp.h>
+#endif
+
 #include "sd-daemon.h"
 #include "sd-bus.h"
 #include "sd-id128.h"
@@ -1432,6 +1436,57 @@ static int move_network_interfaces(pid_t pid) {
         return 0;
 }
 
+static int audit_still_doesnt_work_in_containers(void) {
+
+#ifdef HAVE_SECCOMP
+        scmp_filter_ctx seccomp;
+        int r;
+
+        /*
+           Audit is broken in containers, much of the userspace audit
+           hookup will fail if running inside a container. We don't
+           care and just turn off creation of audit sockets.
+
+           This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
+           with EAFNOSUPPORT which audit userspace uses as indication
+           that audit is disabled in the kernel.
+         */
+
+        seccomp = seccomp_init(SCMP_ACT_ALLOW);
+        if (!seccomp)
+                return log_oom();
+
+        r = seccomp_rule_add_exact(
+                        seccomp,
+                        SCMP_ACT_ERRNO(EAFNOSUPPORT),
+                        SCMP_SYS(socket),
+                        2,
+                        SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
+                        SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
+        if (r < 0) {
+                log_error("Failed to add audit seccomp rule: %s", strerror(-r));
+                goto finish;
+        }
+
+        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+        if (r < 0) {
+                log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
+                goto finish;
+        }
+
+        r = seccomp_load(seccomp);
+        if (r < 0)
+                log_error("Failed to install seccomp audit filter: %s", strerror(-r));
+
+finish:
+        seccomp_release(seccomp);
+        return r;
+#else
+        return 0;
+#endif
+
+}
+
 int main(int argc, char *argv[]) {
 
         _cleanup_close_ int master = -1, kdbus_fd = -1, sync_fd = -1, netns_fd = -1;
@@ -1707,6 +1762,9 @@ int main(int argc, char *argv[]) {
                                 netns_fd = -1;
                         }
 
+                        if (audit_still_doesnt_work_in_containers() < 0)
+                                goto child_fail;
+
                         if (setup_dev_console(arg_directory, console) < 0)
                                 goto child_fail;
 

