nspawn: make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOTSUPPORT in containers
authorLennart Poettering <lennart@poettering.net>
Thu, 13 Feb 2014 19:30:02 +0000 (20:30 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 13 Feb 2014 19:30:02 +0000 (20:30 +0100)
The kernel still doesn't support audit in containers, so let's make use
of seccomp and simply turn it off entirely. We can get rid of this big
as soon as the kernel is fixed again.

Makefile.am
src/nspawn/nspawn.c

index 61d678f..181b346 100644 (file)
@@ -1850,7 +1850,8 @@ systemd_nspawn_LDADD = \
        libsystemd-internal.la \
        libsystemd-daemon-internal.la \
        libudev-internal.la \
-       libsystemd-shared.la
+       libsystemd-shared.la \
+       $(SECCOMP_LIBS)
 
 # ------------------------------------------------------------------------------
 systemd_run_SOURCES = \
index b4c5a54..3a6d428 100644 (file)
 #include <selinux/selinux.h>
 #endif
 
+#ifdef HAVE_SECCOMP
+#include <seccomp.h>
+#endif
+
 #include "sd-daemon.h"
 #include "sd-bus.h"
 #include "sd-id128.h"
@@ -1432,6 +1436,57 @@ static int move_network_interfaces(pid_t pid) {
         return 0;
 }
 
+static int audit_still_doesnt_work_in_containers(void) {
+
+#ifdef HAVE_SECCOMP
+        scmp_filter_ctx seccomp;
+        int r;
+
+        /*
+           Audit is broken in containers, much of the userspace audit
+           hookup will fail if running inside a container. We don't
+           care and just turn off creation of audit sockets.
+
+           This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
+           with EAFNOSUPPORT which audit userspace uses as indication
+           that audit is disabled in the kernel.
+         */
+
+        seccomp = seccomp_init(SCMP_ACT_ALLOW);
+        if (!seccomp)
+                return log_oom();
+
+        r = seccomp_rule_add_exact(
+                        seccomp,
+                        SCMP_ACT_ERRNO(EAFNOSUPPORT),
+                        SCMP_SYS(socket),
+                        2,
+                        SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
+                        SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
+        if (r < 0) {
+                log_error("Failed to add audit seccomp rule: %s", strerror(-r));
+                goto finish;
+        }
+
+        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+        if (r < 0) {
+                log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
+                goto finish;
+        }
+
+        r = seccomp_load(seccomp);
+        if (r < 0)
+                log_error("Failed to install seccomp audit filter: %s", strerror(-r));
+
+finish:
+        seccomp_release(seccomp);
+        return r;
+#else
+        return 0;
+#endif
+
+}
+
 int main(int argc, char *argv[]) {
 
         _cleanup_close_ int master = -1, kdbus_fd = -1, sync_fd = -1, netns_fd = -1;
@@ -1707,6 +1762,9 @@ int main(int argc, char *argv[]) {
                                 netns_fd = -1;
                         }
 
+                        if (audit_still_doesnt_work_in_containers() < 0)
+                                goto child_fail;
+
                         if (setup_dev_console(arg_directory, console) < 0)
                                 goto child_fail;