projects / platform / upstream / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 641264f)
systemd: fix smack error 58/260758/3
authorINSUN PYO <insun.pyo@samsung.com>
Fri, 2 Jul 2021 04:34:32 +0000 (13:34 +0900)
committerHyotaek Shim <hyotaek.shim@samsung.com>
Mon, 2 Aug 2021 02:07:58 +0000 (02:07 +0000)
A user systemd session accesses /proc/1/sched to detect container.

Jan 01 09:00:14 localhost audit[636]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=636 comm="systemd" name="sched" dev="proc" ino=12247
Jan 01 09:00:14 localhost audit[636]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=636 comm="systemd" name="sched" dev="proc" ino=12247
Jan 01 09:00:14 localhost audit[636]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=636 comm="systemd" name="sched" dev="proc" ino=12247
Jan 01 09:00:23 localhost audit[915]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=915 comm="systemctl" name="sched" dev="proc" ino=12247

Change-Id: I0d6f632b090582888c45f309c8a8bf06f4f0f510

src/basic/virt.c patch | blob | history

diff --git a/src/basic/virt.c b/src/basic/virt.c
index cdb0480..11b98fd 100644 (file)
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -517,20 +517,22 @@ int detect_container(void) {
         /* Interestingly /proc/1/sched actually shows the host's PID for what we see as PID 1. If the PID
          * shown there is not 1, we know we are in a PID namespace and hence a container. */
  check_sched:
-        r = read_one_line_file("/proc/1/sched", &m);
-        if (r >= 0) {
-                const char *t;
+        if (getpid_cached() == 1) {
+                r = read_one_line_file("/proc/1/sched", &m);
+                if (r >= 0) {
+                        const char *t;
 
-                t = strrchr(m, '(');
-                if (!t)
-                        return -EIO;
+                        t = strrchr(m, '(');
+                        if (!t)
+                                return -EIO;
 
-                if (!startswith(t, "(1,")) {
-                        r = VIRTUALIZATION_CONTAINER_OTHER;
-                        goto finish;
-                }
-        } else if (r != -ENOENT)
-                return r;
+                        if (!startswith(t, "(1,")) {
+                                r = VIRTUALIZATION_CONTAINER_OTHER;
+                                goto finish;
+                        }
+                } else if (r != -ENOENT)
+                        return r;
+        }
 
         /* If that didn't work, give up, assume no container manager. */
         r = VIRTUALIZATION_NONE;
Domain: System / System Framework;