[systemd-devel] [PATCH] core: check system call auditing is enabled

Lennart Poettering lennart at poettering.net
Tue Feb 19 12:49:30 PST 2013

On Tue, 19.02.13 14:29, Jon Masters (jonathan at jonmasters.org) wrote:

> From: Jon Masters <jcm at jonmasters.org>
> Systemd relies upon CONFIG_AUDITSYSCALL support being present in the
> kernel.

Actually it doesn't. There's just a bug with pkexec on systems that lack
auditing, but we really should fix that. We definitely want to support
audit-less systems.

Even more, currently the kernel auditing layer is so borked that we ask
everybody who want to boot a full Fedora in an "nspawn" container to
turn off auditing in the kernel via "audit=0", so we really should make
sure everything works fine without auditing enabled in the kernel.

> This is because systemd-logind calls audit_session_from_pid, which uses
> /proc/self/sessionid to determine whether an existing session is being
> replaced as part of e.g. a call to sudo, pkexec, or similar. Without
> support for system call auditing, these commands will silently fail as
> their session is killed immediately after it is created by systemd.

audit_session_from_pid() should be used only to keep the audit session
ID and the systemd session ID in sync. However, if
audit_session_from_pid() fails to work we probably should check for
cgroup membership as fallback for determining whether the calling
process already is part of a session.


Lennart Poettering - Red Hat, Inc.

More information about the systemd-devel mailing list