picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/shared/audit.c
Lennart Poettering 9a3ef988b8 audit: since nspawn now sets CAP_AUDIT_CONTROL for containers we cannot user this anymore to skip audit session ID retrieval 
As audit is still broken in containers we need a reliable way how we can
determine whether the audit data we read from 7proc is actually useful.
Previously we used CAP_AUDIT_CONTROL for this, since nspawn removed that
from the nspawn container. This has changed a while back however, which
means we used audit data of host system in the container.

This adds an explicit container check to the audit calls, so that all
audit data is turned off in containers.

This should fix session creation with pam_systemd/logind in nspawn containers.
2013-04-15 21:59:04 +02:00

129 lines
3.2 KiB
C
Raw Blame History

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <assert.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#include <sys/prctl.h>
#include <sys/capability.h>
#include "macro.h"
#include "audit.h"
#include "util.h"
#include "log.h"
#include "fileio.h"
#include "virt.h"
int audit_session_from_pid(pid_t pid, uint32_t *id) {
char *s;
uint32_t u;
int r;
assert(id);
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
/* Audit doesn't support containers right now */
if (detect_container(NULL) > 0)
return -ENOTSUP;
if (pid == 0)
r = read_one_line_file("/proc/self/sessionid", &s);
else {
char *p;
if (asprintf(&p, "/proc/%lu/sessionid", (unsigned long) pid) < 0)
return -ENOMEM;
r = read_one_line_file(p, &s);
free(p);
}
if (r < 0)
return r;
r = safe_atou32(s, &u);
free(s);
if (r < 0)
return r;
if (u == (uint32_t) -1 || u <= 0)
return -ENOENT;
*id = u;
return 0;
}
int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
char *s;
uid_t u;
int r;
assert(uid);
/* Only use audit login uid if we are executed with sufficient
* capabilities so that pam_loginuid could do its job. If we
* are lacking the CAP_AUDIT_CONTROL capabality we most likely
* are being run in a container and /proc/self/loginuid is
* useless since it probably contains a uid of the host
* system. */
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
/* Audit doesn't support containers right now */
if (detect_container(NULL) > 0)
return -ENOTSUP;
if (pid == 0)
r = read_one_line_file("/proc/self/loginuid", &s);
else {
char *p;
if (asprintf(&p, "/proc/%lu/loginuid", (unsigned long) pid) < 0)
return -ENOMEM;
r = read_one_line_file(p, &s);
free(p);
}
if (r < 0)
return r;
r = parse_uid(s, &u);
free(s);
if (r < 0)
return r;
if (u == (uid_t) -1)
return -ENOENT;
*uid = (uid_t) u;
return 0;
}
Reference in a new issue View git blame Copy permalink