| Message ID | 201704200937.v3K9bf0f022355@finist_cl7.x64_64.work.ct |
|---|---|
| State | New |
| Series | "ve/audit: allow changing loginuid for VE root" |
| Headers | show
Delivered-To: criupatchwork@gmail.com Received: from gmail-imap.l.google.com [64.233.164.108] by patchwork.criu.org with IMAP (fetchmail-6.3.26) for <root@localhost> (single-drop); Thu, 20 Apr 2017 11:40:48 +0200 (CEST) Received: by 10.100.181.168 with SMTP id r37csp661142pjb; Thu, 20 Apr 2017 02:40:44 -0700 (PDT) X-Received: by 10.200.46.150 with SMTP id h22mr7603195qta.157.1492681244500; Thu, 20 Apr 2017 02:40:44 -0700 (PDT) Return-Path: <devel-bounces@openvz.org> Received: from mail.openvz.org (mail.openvz.org. [199.115.104.192]) by mx.google.com with ESMTPS id t63si5240154qtd.268.2017.04.20.02.40.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Apr 2017 02:40:44 -0700 (PDT) Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates 199.115.104.192 as permitted sender) client-ip=199.115.104.192; Authentication-Results: mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 199.115.104.192 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: from mail.openvz.org (localhost [127.0.0.1]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v3K9boEK021056; Thu, 20 Apr 2017 02:38:02 -0700 Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp0081.outbound.protection.outlook.com [94.245.120.81]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v3K9bloc021053 for <devel@openvz.org>; Thu, 20 Apr 2017 02:37:47 -0700 Received: from DB5PR08CA0064.eurprd08.prod.outlook.com (2a01:111:e400:c576::32) by AM4PR0801MB1489.eurprd08.prod.outlook.com (2603:10a6:200:3d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.10; Thu, 20 Apr 2017 09:37:44 +0000 Received: from VE1EUR01FT016.eop-EUR01.prod.protection.outlook.com (2a01:111:f400:7e01::203) by DB5PR08CA0064.outlook.office365.com (2a01:111:e400:c576::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.10 via Frontend Transport; Thu, 20 Apr 2017 09:37:43 +0000 Authentication-Results: spf=pass (sender IP is 195.214.232.25) smtp.mailfrom=virtuozzo.com; openvz.org; dkim=none (message not signed) header.d=none; openvz.org; dmarc=pass action=none header.from=virtuozzo.com; Received-SPF: Pass (protection.outlook.com: domain of virtuozzo.com designates 195.214.232.25 as permitted sender) receiver=protection.outlook.com; client-ip=195.214.232.25; helo=relay.sw.ru; Received: from relay.sw.ru (195.214.232.25) by VE1EUR01FT016.mail.protection.outlook.com (10.152.2.227) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1019.14 via Frontend Transport; Thu, 20 Apr 2017 09:37:43 +0000 Received: from finist_cl7.x64_64.work.ct (msk-vpn.virtuozzo.com [195.214.232.6]) by relay.sw.ru (8.13.4/8.13.4) with ESMTP id v3K9bgBT010333 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Apr 2017 12:37:42 +0300 (MSK) Received: from finist_cl7.x64_64.work.ct (localhost [127.0.0.1]) by finist_cl7.x64_64.work.ct (8.14.7/8.14.7) with ESMTP id v3K9bfxr022356; Thu, 20 Apr 2017 13:37:41 +0400 Received: (from khorenko@localhost) by finist_cl7.x64_64.work.ct (8.14.7/8.14.7/Submit) id v3K9bf0f022355; Thu, 20 Apr 2017 13:37:41 +0400 Date: Thu, 20 Apr 2017 13:37:41 +0400 Message-ID: <201704200937.v3K9bf0f022355@finist_cl7.x64_64.work.ct> X-Authentication-Warning: finist_cl7.x64_64.work.ct: khorenko set sender to khorenko@virtuozzo.com using -f From: Konstantin Khorenko <khorenko@virtuozzo.com> To: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> In-Reply-To: <20170419102401.25350-1-ptikhomirov@virtuozzo.com> X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:195.214.232.25; IPV:CAL; SCL:-1; CTRY:RU; EFV:NLI; SFV:SKN; SFS:; DIR:INB; SFP:; SCL:-1; SRVR:AM4PR0801MB1489; H:relay.sw.ru; FPR:; SPF:None; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; VE1EUR01FT016; 1:81gh+nwwp9Bu/9QzEOTn1/9kIHr+4igvNbLTXLLZwpmlRwfzWAjCTukFImUwPd4+sP2alwUtVhssaw+csu6yPqcXE7fv8mYfEWncLAiaW9/5aB4BoGpBGNKLr5crEqzn/X5bJRqzroJOowg5B4GWCDJ3HXx1/ZVwpb+G820XXh3MUke2N9cyO+EU+Cz3YJggvlzghomyqNqeO3Cmh8K8Z0+OZauo4vs2goPEeptmZCOcKR6YkIUybw1+wkFwcIf7EglivQE3pOsCP6uXjYbNPzqW8hjP+HkVQFPlZ04ghp32I7uJ62nkAH7Y70HIIepCVjHRUwkiIhLhaAmiynNFJ0kw6AuverANGQJpGemELdKRpEuKuEtWRm8E5q5kkmSDDZLG/5+4uEgFhkAEVAlz2c6GOjrXXciU9eJvkJV/WB1yeFmwtmM6tQ9nKZfn3ulgEVRFJX6LaW2OBtzsgKrKXderkvuJ0o7kdTr7bSQvC4QilCnWrIAdI62t/pXwFPar0udn3hDBCF0l+nmIgMpuIw== MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: d846277d-5831-4c71-3ec9-08d487d0e53b X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(2017030254075)(201703131423075)(201703031133081); SRVR:AM4PR0801MB1489; X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 3:8CIMj2odaJ7H9OQok6OTMQf7HyTKEi1vY0TgumwyPAmQS87acK5+K0lnmaREvy8o6tylH3GJM1Fi/W+qbKit8oBrl+Yt1FoFKXjIT025ygXZz5XgJsNimfCD8MjY0n9w1oWVZFjlZ8teNF9BhEs2zUOYWJW/yz2zsglIhtL2PwKimqozxmX0DFx5bTGmToxyVzHx6lHFfXDKmAfnmbNoM+ONOe2OPyeR3AXuqc717HXPEicb/wt972FLpKxHFdZj1HzF0HKkHghYILHNWft+xdlpSlABl5bJCl/M9E/Nfre/6ZuiJRMuh+wpDT4QSaQuNKNsYmQMBE2iaGBMPkmOudAFO4o0OqLG3gcjQNXKENcMOi0WliRKS4WbqHWNYjN1yAIka0t4hRqqZWu5IF6mZIEoecA6JYv8etuaJ4CBVI/UL5gHlGVroryn471QDzZ2BKAHUCHMtdWTNcQCCV/eMhLdxUKABHFrP4fLDPg00h/GApQ5l2XXh3156hgHoOpm X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 25:lQXBxMD4/LyD1T+shiPDN1k4YN70wWgfcXwpYi9d6PQrK8+RQ15NbtUnZQMns8xMG6GeOwwZrbV8jZ43Fvp58U2AKfU6J8wBsCQ7i9gI8Q7mjfamyA0tIQZ7h4UorGKYe/1MdZ2F6pqe0rd72yMYm0Nsb+CyLBVxAdT7sITkODHIXS6KzenSZyJtpgeGbPyRkFUcrjH3v6VeGwT1MscxNHpgWX+5lhgGquv2ss1dkoB3gorNArae2pGdzd1uM291d9pfTDSTkpwmUfTH0Ex9mk3sI/U7aWg+M59OcTPk/LET390KCHQy/f7LL0bg2PtkgesoeBTXD4lTEpCyhbzFsFBuUlxthUxIZqkhyPrVBkcY3DwgBfhuWSVnPgGoFSwFz4UN7ICHvIpvtCNp5KiNI4R0t/IqjkTphQj8b9DSaGkwQ9+xfNvgvJq+XqbzsXFVX9QD2vqaf7jxJLktZ1mcVg==; 31:jWn/jJfZsK0QdMwrkJnCQZOZ344xroQO6MHiNDfVhRZyU41+BEEShn7KFoQwi9f0MJimlU6Jh4WP7j2kj2CznwM43L90LpLilpHIG1GNJo+IeFiwUBp76KuPmPWzHHYYYnMynZJ0uwWrvrRHiD0YBt/6bAGLcnPsI3oz1R+GsGZtaNYVR2wbHVtSeXG3UMoxiJnQTXnE1sRl2h1KsdFTZOOJXrBYtskqwMhIQhUVwQucf/BcOxTrF8e6JRcb4HCT55aX9vKcJAsxSYZ+WpXlLm8dTnGYU5yG6iH3f/1cd85AkuJL1tiqCdWPGmBCFwkz X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 20:Z30qi7AZCSZww2WDIlKt3MHGzC3bMIxsfmeTmTA6NQSbWcrAeytwDN17LxF4BjmEnRWnWHwKnogk/xjhLigLZDd3er0QcitcemcXqibvga44b/VIXxkSw5GuSULkgyFRNsfyPM/amUp9o1PtqaufsLtTTmRQX6xoXH5v7bl7z59oFrseBx07qWd7T7wIbNAN7zcBOdYMl1IAflRJWUng4o/97mEh0r+QyOqra1s997uWBoYm/FU+WPzRlMdXMxtAYUZ+gWja6WncpRQGhoJa7KWDeNYZRTLDN8VYyNBXCKWEkA5hikIk2fhA/EhqgE3ACndrFur9NoWrd7kB5pR1FX4/EcYF4m1A/0+cDGkV3D6SFRcOnS4x6PiWmdU1iw/k2WYkuo90hrqj2tXFUSYGCFYWNtUa/ymtkCn9VPd5Th4CHhtH+g5bgQnDC21tCiDLzIsIbMtNpA72guizZ8k73+v67O4OHBA46+Geg7DMsVKwoZ8lgLR21dgJil8leUPpHSk6BoG/2IFWJEvmE9Vt8A== X-Exchange-Antispam-Report-Test: UriScan:(215187933766430)(17755550239193); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(9101521199)(601004)(2401047)(13023025)(13020025)(13013025)(8121501046)(93006095)(93004095)(3002001)(10201501046); SRVR:AM4PR0801MB1489; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1489; X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 4:C6W2MwGGMmLlCK+ieZK7x2hPwiI6hnCLt1QyjOcty0f/OgvzH6asz75aVtgcKKUy1E54vXfRHIYIzNvlqXTzrs/0fYqQXrcyEGThFcHtqNBYKe/AJk+yDyBtClR3Sj5nDmzXVyHvgIcaGp0rXCYwi5lJMIeovnk263yO4JHU4s95RpVH3MfTA8NBpBBO26lsXt+6rZTedHUjGPp3zRajYZg8jzDrVl3AkYDOfWRhiYFpy5wA73IVmbH8A9qPCqmdKyYwi/E5xCrwPoWo0JX6QrHyqCFFD2UHT1mSA6Pbo29wuhAtyRk9DAng4y4x13nEGS7H8gJiIM7bGg/nm6dFya1tQF3+8Y02NoKLp2HJUZ3plIPhdQxcQpgF/AIDrMAyfgl5w0hiV8gixCQ51mCt2J9GAr+9RgIryMzY431nXcgXaz1dyNSFR1X9tYpfzfq/t1WkSg8XAjrN5WBJmdaN8o1eDpSZgx9Urzk22m+kpYV3uZ+gS7dVoK/MG1WudFpHlRnLymXTcHbHYNSaM+UD2gyY6GdAaVmYCdBZ2UIpN9r+FlUHgRmLjayB6LTOwr8m; 23:sDy/Tq/X31cU+fsvmwLsbV1NFsoyVN9OARsrm2AJdY8ZDfNdGh9f8rPFu1e/y1jtOW6489N6OZhqlRQmNT7Rxn+0/Jt3UTLWEpjSifo3FYTdySn9oNskvEp2AK/dR/u6bRq55Biv9DePTU9GEgdW+YTYRP3W6/2hAPa6CLWts8atzUrag/9IMV95m1F0POvI X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 6:lYEXi3rbBgLgTOopCynPYI9ahyb+LV/fMEyb0LGgtANpM0dqMGbPjBXKgzCvZ4kX33lbMn7wWaHSQtO50li8UncpQUWMjwg9M7arij/lAHUvQgNER5GRh6G3HL8kbKrK/Leyu2Fput19hXxCtHBvmVFT659Rvk7JfcBkuU/FceY5bFE4TsH8GRND1n09scp9bGQAMa3gwCg13YZD0Ki3iChTHN0/SCHMqyTZrRoaVq3TNOdm+ZBD43K2Kj3Hwvnlo7X6fslRlCitVgKmO7XzQBpp587N21WZrKajd0PuEYKqbRZPnNCfLKeN1UjeYL/slXgOtIeKt5KwuHivo3+vNry3pm5uIZpJeSD7h1ybYFB1v6R4iDiVJuYMh2ycr7bEILcpSY8xHVLBje4i3BJUvy3cw0qYZsbS+janW70hRThSbL2A2YKgHUXfmAiLOr9c; 5:+GpXdys6NDBa3xHNAWT7ycNswSNcPckFBjofns28+ZTt//JvkIrJTpb2wYDM/KpEcG8bIDHcElcLzTdthrcCsharUJe28rIdJYYjjpEeXvGFfQPUIkZW0J9uoH9s6AR4U9r94YfanTfJ3xC/jf+Ifw==; 24:yVgxv11mJ1vfSZ59Sdl4Y4jPLJwxSFWAQ0s4U75szlDjg9I4RlJ7uFRUuvUymfrmHHTHt2VMqjzxvmAClAnWlm4e/LQv05ee7juSWFHpWZo= SpamDiagnosticOutput: 1:2 SpamDiagnosticMetadata: 2b2090aae5154f77b71484475de18b04 X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 7:3YEeseAVZqqE7ZDXlIAjI16jl+sdS36zHQI/mAuzb2LKhYeaeRI40TwDnRN+gpExaqjBB5iEtBp1iyXNsYq+4etvOe994YPOpY7SklBkw+B2IY/CeGcbiI9bBdGe+C3Uxs3fuH6rfQA8x742F9+GIcFifoNcQYnH/nk4CcUTV7t18D5DpUEEIIB/Q6217mLMk8G7vg3WZGe/dvFAuh796LaXRRnNqFveuOV+gVZ2zVDtQFV3rCRHvaI11VHQ5EqSDTy9Ao3MoMCgq5X5RLyUFn8WrB/1f4DNaiNMaOfD32hjNW2w9c5hHzRsJEB5H/MoLoSVf7e7hwI1vFqv1uBJznl4JMh/eZgKI06h5DwI9XbYugqcV2a1x/E2bVAa4IOm0Lex4MgtHDO+euKnisZFQQ==; 20:t3ib0IIYh1XsbyDwukWBu9yphuV8QSzGFqlVtnJnvfMa3T6gm2xrgvTdOdyWn5WaldV30n+QXaF+/PYBKfCIgAVlm+Lxj/82vltneFKl+gYFqLYexyXjYa/Nb/S9LB/1USBPwX98HzVcIDO6mCM6DH6k8cGC0uEkhHZW5wkIUMo= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2017 09:37:43.0676 (UTC) X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0bc7f26d-0264-416e-a6fc-8352af79c58f; Ip=[195.214.232.25]; Helo=[relay.sw.ru] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1489 X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 195.214.232.25 X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-AuthSource: VE1EUR01FT016.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossPremises-AuthAs: Anonymous X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0 X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:SKN; SKIP:0; X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent X-OrganizationHeadersPreserved: AM4PR0801MB1489.eurprd08.prod.outlook.com Cc: OpenVZ devel <devel@openvz.org> Subject: [Devel] [PATCH RHEL7 COMMIT] ve/audit: allow changing loginuid for VE root X-BeenThere: devel@openvz.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OpenVZ development <devel.openvz.org> List-Unsubscribe: <https://lists.openvz.org/mailman/options/devel>, <mailto:devel-request@openvz.org?subject=unsubscribe> List-Archive: <http://lists.openvz.org/pipermail/devel/> List-Post: <mailto:devel@openvz.org> List-Help: <mailto:devel-request@openvz.org?subject=help> List-Subscribe: <https://lists.openvz.org/mailman/listinfo/devel>, <mailto:devel-request@openvz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: devel-bounces@openvz.org Errors-To: devel-bounces@openvz.org |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6321dad..1afd926 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1898,7 +1898,7 @@ static int audit_set_loginuid_perm(kuid_t loginuid) if (is_audit_feature_set(AUDIT_FEATURE_LOGINUID_IMMUTABLE)) return -EPERM; /* it is set, you need permission */ - if (!capable(CAP_AUDIT_CONTROL)) + if (!ve_capable(CAP_AUDIT_CONTROL)) return -EPERM; /* reject if this is not an unset and we don't allow that */ if (is_audit_feature_set(AUDIT_FEATURE_ONLY_UNSET_LOGINUID) && uid_valid(loginuid))
The commit is pushed to "branch-rh7-3.10.0-514.16.1.vz7.30.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-514.16.1.vz7.30.4 ------> commit 8f4974a67d7a56ef433398c2c3bc638d1e801c9d Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Date: Thu Apr 20 13:37:41 2017 +0400 ve/audit: allow changing loginuid for VE root If login into VZ7CT with centos6 template inside and restart sshd service, ssh to these CT will be broken. That is because: 1) Once loginuid is set for process in CT it can't be changed, that means that all processes of a user connected via ssh will be marked with it's uid in loginuid attribute. 2) In centos6 we have upstart instead of systemd which starts services as orphaned grand-children of process initiated a start. 3) Sshd to start a new connection need to set loginuid attribute for first process of connected session. sshd after restart from ssh session has loginuid set and when new ssh session is created sshd's fork unsuccesfully tries to reset loginuid. It should be safe to allow container root, from which sshd is running to reset loginuid attribute, it will only additionaly let container root to audit some events to INVALID_UID or any kuid from CT which it wants. (Root can do it before patch through systemd services, e.g.: start systemd oneshot service which creates xfrm policies, they will be loged to INVALID_UID.) https://jira.sw.ru/browse/PSBM-64487 Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Reviewed-by: Dmitry Safonov <dsafonov@virtuozzo.com> --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)