[Devel] [PATCH RH7] ve/audit: allow changing loginuid for VE root

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Wed Apr 19 03:24:01 PDT 2017


If login into VZ7CT with centos6 template inside and restart sshd
service, ssh to these CT will be broken.

That is because:
1) Once loginuid is set for process in CT it can't be changed, that
means that all processes of a user connected via ssh will be marked
with it's uid in loginuid attribute.
2) In centos6 we have upstart instead of systemd which starts services
as orphaned grand-children of process initiated a start.
3) Sshd to start a new connection need to set loginuid attribute
for first process of connected session.

Sshd after restart from ssh session has loginuid set and when new
ssh session is created sshd's fork unsuccesfully tries to reset
loginuid.

It should be safe to allow container root, from which sshd is running
to reset loginuid attribute, it will only additionaly let container root
to audit some events to INVALID_UID or any kuid from CT which it wants.
(Root can do it before patch through systemd services, e.g.: start
systemd oneshot service which creates xfrm policies, they will be loged
to INVALID_UID.)

https://jira.sw.ru/browse/PSBM-64487
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/auditsc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6321dad..1afd926 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1898,7 +1898,7 @@ static int audit_set_loginuid_perm(kuid_t loginuid)
 	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
 		return -EPERM;
 	/* it is set, you need permission */
-	if (!capable(CAP_AUDIT_CONTROL))
+	if (!ve_capable(CAP_AUDIT_CONTROL))
 		return -EPERM;
 	/* reject if this is not an unset and we don't allow that */
 	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
-- 
2.9.3



More information about the Devel mailing list