[Devel] [PATCH vz9 3/5] ve/audit: allow changing loginuid for VE root

Nikita Yushchenko nikita.yushchenko at virtuozzo.com
Wed Sep 29 21:25:22 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

If login into VZ7CT with centos6 template inside and restart sshd
service, ssh to these CT will be broken.

That is because:
1) Once loginuid is set for process in CT it can't be changed, that
means that all processes of a user connected via ssh will be marked
with it's uid in loginuid attribute.
2) In centos6 we have upstart instead of systemd which starts services
as orphaned grand-children of process initiated a start.
3) Sshd to start a new connection need to set loginuid attribute
for first process of connected session.

sshd after restart from ssh session has loginuid set and when new
ssh session is created sshd's fork unsuccesfully tries to reset
loginuid.

It should be safe to allow container root, from which sshd is running
to reset loginuid attribute, it will only additionaly let container root
to audit some events to INVALID_UID or any kuid from CT which it wants.
(Root can do it before patch through systemd services, e.g.: start
systemd oneshot service which creates xfrm policies, they will be loged
to INVALID_UID.)

https://jira.sw.ru/browse/PSBM-64487

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Dmitry Safonov <dsafonov at virtuozzo.com>
Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>

(cherry-picked from vz8 commit b52e1ef3df63 ("ve/audit: allow changing
loginuid for VE root"))

Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 kernel/audit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 121d37e700a6..9ed68edfd6c7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2259,7 +2259,7 @@ static int audit_set_loginuid_perm(kuid_t loginuid)
 	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
 		return -EPERM;
 	/* it is set, you need permission */
-	if (!capable(CAP_AUDIT_CONTROL))
+	if (!ve_capable(CAP_AUDIT_CONTROL))
 		return -EPERM;
 	/* reject if this is not an unset and we don't allow that */
 	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID)
-- 
2.30.2

More information about the Devel mailing list