[systemd-devel] [PATCH] core: check system call auditing is enabled
Jon Masters
jonathan at jonmasters.org
Tue Feb 19 11:29:17 PST 2013
From: Jon Masters <jcm at jonmasters.org>
Systemd relies upon CONFIG_AUDITSYSCALL support being present in the kernel.
This is because systemd-logind calls audit_session_from_pid, which uses
/proc/self/sessionid to determine whether an existing session is being
replaced as part of e.g. a call to sudo, pkexec, or similar. Without
support for system call auditing, these commands will silently fail as
their session is killed immediately after it is created by systemd.
For now, add a check after the existing cgroups test, but in the future
these functions should all move into a generic check_kconfig function
that tests all of the configured kernel options, including these for
compliance with the evolving base platform requirements of systemd.
Signed-off-by: Jon Masters <jcm at jonmasters.org>
---
src/core/main.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/core/main.c b/src/core/main.c
index 71e0a6c..5d5963d 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1243,6 +1243,18 @@ static void test_cgroups(void) {
sleep(10);
}
+static void test_audit_session(void) {
+
+ if (access("/proc/self/sessionid", F_OK) >= 0)
+ return;
+
+ log_warning("CONFIG_AUDITSYSCALL was not set when your kernel was "
+ "compiled. Systems without system call auditing will "
+ "experience session creation problems with commands such "
+ "as sudo, pkexec, and so on. Please fix your kernel or ask "
+ "your Linux distribution to enable CONFIG_AUDITSYSCALL.");
+}
+
static int initialize_join_controllers(void) {
/* By default, mount "cpu" + "cpuacct" together, and "net_cls"
* + "net_prio". We'd like to add "cpuset" to the mix, but
@@ -1604,6 +1616,7 @@ int main(int argc, char *argv[]) {
test_mtab();
test_usr();
test_cgroups();
+ test_audit_session();
}
if (arg_running_as == SYSTEMD_SYSTEM && arg_runtime_watchdog > 0)
--
1.7.11.7
More information about the systemd-devel
mailing list