[Devel,RH7] ve/audit: allow changing loginuid for VE root

Submitted by Pavel Tikhomirov on April 19, 2017, 10:24 a.m.

Details

Message ID 20170419102401.25350-1-ptikhomirov@virtuozzo.com
State New
Series "ve/audit: allow changing loginuid for VE root"
Headers show

Commit Message

Pavel Tikhomirov April 19, 2017, 10:24 a.m.
If login into VZ7CT with centos6 template inside and restart sshd
service, ssh to these CT will be broken.

That is because:
1) Once loginuid is set for process in CT it can't be changed, that
means that all processes of a user connected via ssh will be marked
with it's uid in loginuid attribute.
2) In centos6 we have upstart instead of systemd which starts services
as orphaned grand-children of process initiated a start.
3) Sshd to start a new connection need to set loginuid attribute
for first process of connected session.

Sshd after restart from ssh session has loginuid set and when new
ssh session is created sshd's fork unsuccesfully tries to reset
loginuid.

It should be safe to allow container root, from which sshd is running
to reset loginuid attribute, it will only additionaly let container root
to audit some events to INVALID_UID or any kuid from CT which it wants.
(Root can do it before patch through systemd services, e.g.: start
systemd oneshot service which creates xfrm policies, they will be loged
to INVALID_UID.)

https://jira.sw.ru/browse/PSBM-64487
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 kernel/auditsc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6321dad..1afd926 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1898,7 +1898,7 @@  static int audit_set_loginuid_perm(kuid_t loginuid)
 	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
 		return -EPERM;
 	/* it is set, you need permission */
-	if (!capable(CAP_AUDIT_CONTROL))
+	if (!ve_capable(CAP_AUDIT_CONTROL))
 		return -EPERM;
 	/* reject if this is not an unset and we don't allow that */
 	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))

Comments

Dmitry Safonov April 19, 2017, 11:03 a.m.
On 04/19/2017 01:24 PM, Pavel Tikhomirov wrote:
> If login into VZ7CT with centos6 template inside and restart sshd
> service, ssh to these CT will be broken.
> 
> That is because:
> 1) Once loginuid is set for process in CT it can't be changed, that
> means that all processes of a user connected via ssh will be marked
> with it's uid in loginuid attribute.
> 2) In centos6 we have upstart instead of systemd which starts services
> as orphaned grand-children of process initiated a start.
> 3) Sshd to start a new connection need to set loginuid attribute
> for first process of connected session.
> 
> Sshd after restart from ssh session has loginuid set and when new
> ssh session is created sshd's fork unsuccesfully tries to reset
> loginuid.
> 
> It should be safe to allow container root, from which sshd is running
> to reset loginuid attribute, it will only additionaly let container root
> to audit some events to INVALID_UID or any kuid from CT which it wants.
> (Root can do it before patch through systemd services, e.g.: start
> systemd oneshot service which creates xfrm policies, they will be loged
> to INVALID_UID.)
> 
> https://jira.sw.ru/browse/PSBM-64487
> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>

Reviewed-by: Dmitry Safonov <dsafonov@virtuozzo.com>

> ---
>   kernel/auditsc.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 6321dad..1afd926 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1898,7 +1898,7 @@ static int audit_set_loginuid_perm(kuid_t loginuid)
>   	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
>   		return -EPERM;
>   	/* it is set, you need permission */
> -	if (!capable(CAP_AUDIT_CONTROL))
> +	if (!ve_capable(CAP_AUDIT_CONTROL))
>   		return -EPERM;
>   	/* reject if this is not an unset and we don't allow that */
>   	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))