[Devel] [PATCH RH7] ve/audit: allow changing loginuid for VE root
Dmitry Safonov
dsafonov at virtuozzo.com
Wed Apr 19 04:03:22 PDT 2017
On 04/19/2017 01:24 PM, Pavel Tikhomirov wrote:
> If login into VZ7CT with centos6 template inside and restart sshd
> service, ssh to these CT will be broken.
>
> That is because:
> 1) Once loginuid is set for process in CT it can't be changed, that
> means that all processes of a user connected via ssh will be marked
> with it's uid in loginuid attribute.
> 2) In centos6 we have upstart instead of systemd which starts services
> as orphaned grand-children of process initiated a start.
> 3) Sshd to start a new connection need to set loginuid attribute
> for first process of connected session.
>
> Sshd after restart from ssh session has loginuid set and when new
> ssh session is created sshd's fork unsuccesfully tries to reset
> loginuid.
>
> It should be safe to allow container root, from which sshd is running
> to reset loginuid attribute, it will only additionaly let container root
> to audit some events to INVALID_UID or any kuid from CT which it wants.
> (Root can do it before patch through systemd services, e.g.: start
> systemd oneshot service which creates xfrm policies, they will be loged
> to INVALID_UID.)
>
> https://jira.sw.ru/browse/PSBM-64487
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Dmitry Safonov <dsafonov at virtuozzo.com>
> ---
> kernel/auditsc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 6321dad..1afd926 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1898,7 +1898,7 @@ static int audit_set_loginuid_perm(kuid_t loginuid)
> if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
> return -EPERM;
> /* it is set, you need permission */
> - if (!capable(CAP_AUDIT_CONTROL))
> + if (!ve_capable(CAP_AUDIT_CONTROL))
> return -EPERM;
> /* reject if this is not an unset and we don't allow that */
> if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
More information about the Devel
mailing list