[Devel] [PATCH RHEL COMMIT] ve/audit: allow changing loginuid for VE root

Konstantin Khorenko khorenko at virtuozzo.com
Thu Sep 30 18:08:44 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit f6ed6a659ae857f7010694070a767bd6f6116a1f
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Thu Sep 30 18:08:44 2021 +0300

    ve/audit: allow changing loginuid for VE root
    
    If login into VZ7CT with centos6 template inside and restart sshd
    service, ssh to these CT will be broken.
    
    That is because:
    1) Once loginuid is set for process in CT it can't be changed, that
    means that all processes of a user connected via ssh will be marked
    with it's uid in loginuid attribute.
    2) In centos6 we have upstart instead of systemd which starts services
    as orphaned grand-children of process initiated a start.
    3) Sshd to start a new connection need to set loginuid attribute
    for first process of connected session.
    
    sshd after restart from ssh session has loginuid set and when new
    ssh session is created sshd's fork unsuccesfully tries to reset
    loginuid.
    
    It should be safe to allow container root, from which sshd is running
    to reset loginuid attribute, it will only additionaly let container root
    to audit some events to INVALID_UID or any kuid from CT which it wants.
    (Root can do it before patch through systemd services, e.g.: start
    systemd oneshot service which creates xfrm policies, they will be loged
    to INVALID_UID.)
    
    https://jira.sw.ru/browse/PSBM-64487
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Reviewed-by: Dmitry Safonov <dsafonov at virtuozzo.com>
    Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
    
    (cherry-picked from vz8 commit b52e1ef3df63 ("ve/audit: allow changing
    loginuid for VE root"))
    
    Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 kernel/audit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 121d37e700a6..9ed68edfd6c7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2259,7 +2259,7 @@ static int audit_set_loginuid_perm(kuid_t loginuid)
 	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
 		return -EPERM;
 	/* it is set, you need permission */
-	if (!capable(CAP_AUDIT_CONTROL))
+	if (!ve_capable(CAP_AUDIT_CONTROL))
 		return -EPERM;
 	/* reject if this is not an unset and we don't allow that */
 	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID)

More information about the Devel mailing list