[systemd-devel] [PATCH] core: check system call auditing is enabled
lennart at poettering.net
Tue Feb 19 12:49:30 PST 2013
On Tue, 19.02.13 14:29, Jon Masters (jonathan at jonmasters.org) wrote:
> From: Jon Masters <jcm at jonmasters.org>
> Systemd relies upon CONFIG_AUDITSYSCALL support being present in the
Actually it doesn't. There's just a bug with pkexec on systems that lack
auditing, but we really should fix that. We definitely want to support
Even more, currently the kernel auditing layer is so borked that we ask
everybody who want to boot a full Fedora in an "nspawn" container to
turn off auditing in the kernel via "audit=0", so we really should make
sure everything works fine without auditing enabled in the kernel.
> This is because systemd-logind calls audit_session_from_pid, which uses
> /proc/self/sessionid to determine whether an existing session is being
> replaced as part of e.g. a call to sudo, pkexec, or similar. Without
> support for system call auditing, these commands will silently fail as
> their session is killed immediately after it is created by systemd.
audit_session_from_pid() should be used only to keep the audit session
ID and the systemd session ID in sync. However, if
audit_session_from_pid() fails to work we probably should check for
cgroup membership as fallback for determining whether the calling
process already is part of a session.
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel