[systemd-devel] [PATCH] audit: Fix journal failing on unsupported audit in containers [was: journal: don't complain about audit socket errors in a container.]

Lennart Poettering lennart at poettering.net
Wed May 20 08:49:44 PDT 2015 

On Wed, 20.05.15 15:48, Martin Pitt (martin.pitt at ubuntu.com) wrote:

> Lennart Poettering [2015-05-20 14:57 +0200]:
> > On Wed, 20.05.15 13:53, Martin Pitt (martin.pitt at ubuntu.com) wrote:
> > 
> > > -                        cached_use = true;
> > > +                        /* bind() fails in namespaces (containers), so check that too */
> > > +                        static const union sockaddr_union sa = {
> > > +                                .nl.nl_family = AF_NETLINK,
> > > +                                .nl.nl_pid    = 0,
> > > +                                .nl.nl_groups = AUDIT_NLGRP_READLOG,
> > > +                        };
> > > +                        cached_use = (bind(fd, &sa.sa, sizeof(sa.nl)) >= 0);
> > >                          safe_close(fd);
> > 
> > This check is simply not right. With that you check whether the
> > multicast audit API is available. But given that it has been added
> > only one or two kernel releases ago, and is protected by its own
> > capabality the check is definitely too broad.
> 
> OK. I thought the intention of ConditionSecurity=audit was exactly
> that, as this condition was added together with adding it to
> systemd-journald-audit.socket.

Nope, ConditionSecurity=audit is only a simple boolean check that
holds when audit is enabled at all. It doesn't tell you anything about
the precise audit feature set of the kernel.

> > Anyway, I think people are mostly concerned about bind() failing here,
> > hence I have now added some code to handle that gracefully.
> > 
> > Right now it will still log a message with LOG_WARNING. I'd be willing
> > to downgrade this to LOG_DEBUG for select error codes, if you tell me
> > the ones you run into. EINVAL?
> 
> bind(7, {sa_family=AF_NETLINK, pid=0, groups=00000001}, 12) = -1 EPERM (Operation not permitted)
> 
> With commit 417a7fdc journald now starts working, but
> systemd-journald-audit.socket still fails:
> 
>    Active: failed (Result: resources)
>    systemd[1]: systemd-journald-audit.socket: Socket service systemd-journald.service already active, refusing.
>    systemd[1]: Failed to listen on Journal Audit Socket.

I have now conditionalized the unit on CAP_ADMIN_READ, which is the
cap that you need to read the audit multicast stuff. You container
manager hence should simply drop that cap fro, the cap set it passes
and all should be good.

I didn't test this though, hence please check if current git fixes
that for you now.

> That's why I thought tightening the ConditionSecurity=audit check
> would make more sense, as systemd-journald-audit.socket is the only
> unit which actually uses it. We could add
> ConditionVirtualization=!container to it as a distro-level workaround,
> but I don't like that for the reasons above. I don't just want to
> leave it like that as it makes the system stay in "degraded" mode.

Both conditions are now in place, and we need both: one can have the
cap without auditing being enabled, and auditing can be enabled
without the cap available, only if one has both the audit suff in
journal can work.

> > Also, please convince your distro to enable seccomp support!
> 
> Fair enough, but that hack doesn't work on all platforms we support
> (i386, powerpc, ppc64el, etc.), and quite frankly that's an even worse
> hack: You'd need to disable that filter once the kernel gets fixed,
> and/or conditionalize it based on the running kernel version. I'd like
> the same code to work everywhere :-)

Well, it's relatively simply fixing one container manager than all
userspaces that can run within it...

But anyway, please check if git works for you now.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list