[Devel,RHEL7,COMMIT] ve/audit: allow changing loginuid for VE root

Submitted by Konstantin Khorenko on April 20, 2017, 9:37 a.m.


Message ID 201704200937.v3K9bf0f022355@finist_cl7.x64_64.work.ct
State New
Series "ve/audit: allow changing loginuid for VE root"
Headers show

Commit Message

Konstantin Khorenko April 20, 2017, 9:37 a.m.
The commit is pushed to "branch-rh7-3.10.0-514.16.1.vz7.30.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.16.1.vz7.30.4
commit 8f4974a67d7a56ef433398c2c3bc638d1e801c9d
Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date:   Thu Apr 20 13:37:41 2017 +0400

    ve/audit: allow changing loginuid for VE root
    If login into VZ7CT with centos6 template inside and restart sshd
    service, ssh to these CT will be broken.
    That is because:
    1) Once loginuid is set for process in CT it can't be changed, that
    means that all processes of a user connected via ssh will be marked
    with it's uid in loginuid attribute.
    2) In centos6 we have upstart instead of systemd which starts services
    as orphaned grand-children of process initiated a start.
    3) Sshd to start a new connection need to set loginuid attribute
    for first process of connected session.
    sshd after restart from ssh session has loginuid set and when new
    ssh session is created sshd's fork unsuccesfully tries to reset
    It should be safe to allow container root, from which sshd is running
    to reset loginuid attribute, it will only additionaly let container root
    to audit some events to INVALID_UID or any kuid from CT which it wants.
    (Root can do it before patch through systemd services, e.g.: start
    systemd oneshot service which creates xfrm policies, they will be loged
    to INVALID_UID.)
    Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
    Reviewed-by: Dmitry Safonov <dsafonov@virtuozzo.com>
 kernel/auditsc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6321dad..1afd926 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1898,7 +1898,7 @@  static int audit_set_loginuid_perm(kuid_t loginuid)
 	if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE))
 		return -EPERM;
 	/* it is set, you need permission */
-	if (!capable(CAP_AUDIT_CONTROL))
+	if (!ve_capable(CAP_AUDIT_CONTROL))
 		return -EPERM;
 	/* reject if this is not an unset and we don't allow that */
 	if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))