[PATCH v2 0/1] audit: remove trailing spaces and tabs
by Zhen Lei
v1 --> v2:
Add files to be checked:
include/linux/audit.h
include/uapi/linux/audit.h
Zhen Lei (1):
audit: remove trailing spaces and tabs
include/uapi/linux/audit.h | 4 ++--
kernel/audit.h | 2 +-
kernel/auditsc.c | 8 ++++----
3 files changed, 7 insertions(+), 7 deletions(-)
--
2.25.1
3 years, 4 months
audit 3.0.2 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report
This release has a big documentgation cleanup from MIZUTA Takeshi. Thanks! It
also updates the lookup tables for the 5.12 kernel. And has a lot of code
cleanups from static analysis. There is a big update to auparse normalizer
results so that all current events are supported as well as it can be.
SHA256: 18ae558900eb1c85a8d68c42f70f8e71a8f763c2c661ec8e89cccd26edc2d506
Please let me know if you run across any problems with this release.
-Steve
3 years, 4 months
[PATCH -next] audit: Use list_move instead of list_del/list_add
by Baokun Li
Using list_move() instead of list_del() + list_add().
Reported-by: Hulk Robot <hulkci(a)huawei.com>
Signed-off-by: Baokun Li <libaokun1(a)huawei.com>
---
kernel/audit_tree.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 6c91902f4f45..b2be4e978ba3 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -689,8 +689,7 @@ void audit_trim_trees(void)
tree = container_of(cursor.next, struct audit_tree, list);
get_tree(tree);
- list_del(&cursor);
- list_add(&cursor, &tree->list);
+ list_move(&cursor, &tree->list);
mutex_unlock(&audit_filter_mutex);
err = kern_path(tree->pathname, 0, &path);
@@ -899,8 +898,7 @@ int audit_tag_tree(char *old, char *new)
tree = container_of(cursor.next, struct audit_tree, list);
get_tree(tree);
- list_del(&cursor);
- list_add(&cursor, &tree->list);
+ list_move(&cursor, &tree->list);
mutex_unlock(&audit_filter_mutex);
err = kern_path(tree->pathname, 0, &path2);
@@ -925,8 +923,7 @@ int audit_tag_tree(char *old, char *new)
mutex_lock(&audit_filter_mutex);
spin_lock(&hash_lock);
if (!tree->goner) {
- list_del(&tree->list);
- list_add(&tree->list, &tree_list);
+ list_move(&tree->list, &tree_list);
}
spin_unlock(&hash_lock);
put_tree(tree);
@@ -937,8 +934,7 @@ int audit_tag_tree(char *old, char *new)
tree = container_of(barrier.prev, struct audit_tree, list);
get_tree(tree);
- list_del(&tree->list);
- list_add(&tree->list, &barrier);
+ list_move(&tree->list, &barrier);
mutex_unlock(&audit_filter_mutex);
if (!failed) {
3 years, 4 months
[PATCH] audit: Rename enum audit_state constants to avoid AUDIT_DISABLED redefinition
by Sergey Nazarov
AUDIT_DISABLED defined in kernel/audit.h as element of enum audit_state
and redefined in kernel/audit.c. This produces a warning when kernel builds
with syscalls audit disabled and brokes kernel build if -Werror used.
enum audit_state used in syscall audit code only. This patch changes
enum audit_state constants prefix AUDIT to AUDITSC to avoid AUDIT_DISABLED
redefinition.
Signed-off-by: Sergey Nazarov <s-nazarov(a)yandex.ru>
---
kernel/audit.h | 8 ++++----
kernel/auditsc.c | 34 +++++++++++++++++-----------------
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 1522e10..ee81f20 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -21,16 +21,16 @@
a per-task filter. At syscall entry, the audit_state is augmented by
the syscall filter. */
enum audit_state {
- AUDIT_DISABLED, /* Do not create per-task audit_context.
+ AUDITSC_DISABLED, /* Do not create per-task audit_context.
* No syscall-specific audit records can
* be generated. */
- AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context,
+ AUDITSC_BUILD_CONTEXT, /* Create the per-task audit_context,
* and fill it in at syscall
* entry time. This makes a full
* syscall record available if some
* other part of the kernel decides it
* should be recorded. */
- AUDIT_RECORD_CONTEXT /* Create the per-task audit_context,
+ AUDITSC_RECORD_CONTEXT /* Create the per-task audit_context,
* always fill it in at syscall entry
* time, and always write out the audit
* record at syscall exit time. */
@@ -322,7 +322,7 @@ static inline int audit_signal_info_syscall(struct task_struct *t)
return 0;
}
-#define audit_filter_inodes(t, c) AUDIT_DISABLED
+#define audit_filter_inodes(t, c) AUDITSC_DISABLED
#endif /* CONFIG_AUDITSYSCALL */
extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 175ef6f..ae6e305 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -231,7 +231,7 @@ static void audit_set_auditable(struct audit_context *ctx)
{
if (!ctx->prio) {
ctx->prio = 1;
- ctx->current_state = AUDIT_RECORD_CONTEXT;
+ ctx->current_state = AUDITSC_RECORD_CONTEXT;
}
}
@@ -751,10 +751,10 @@ static int audit_filter_rules(struct task_struct *tsk,
}
switch (rule->action) {
case AUDIT_NEVER:
- *state = AUDIT_DISABLED;
+ *state = AUDITSC_DISABLED;
break;
case AUDIT_ALWAYS:
- *state = AUDIT_RECORD_CONTEXT;
+ *state = AUDITSC_RECORD_CONTEXT;
break;
}
return 1;
@@ -773,14 +773,14 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
if (audit_filter_rules(tsk, &e->rule, NULL, NULL,
&state, true)) {
- if (state == AUDIT_RECORD_CONTEXT)
+ if (state == AUDITSC_RECORD_CONTEXT)
*key = kstrdup(e->rule.filterkey, GFP_ATOMIC);
rcu_read_unlock();
return state;
}
}
rcu_read_unlock();
- return AUDIT_BUILD_CONTEXT;
+ return AUDITSC_BUILD_CONTEXT;
}
static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
@@ -802,7 +802,7 @@ static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
/* At syscall exit time, this filter is called if the audit_state is
* not low enough that auditing cannot take place, but is also not
* high enough that we already know we have to write an audit record
- * (i.e., the state is AUDIT_SETUP_CONTEXT or AUDIT_BUILD_CONTEXT).
+ * (i.e., the state is AUDIT_SETUP_CONTEXT or AUDITSC_BUILD_CONTEXT).
*/
static void audit_filter_syscall(struct task_struct *tsk,
struct audit_context *ctx)
@@ -923,7 +923,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
if (!context)
return NULL;
context->state = state;
- context->prio = state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
+ context->prio = state == AUDITSC_RECORD_CONTEXT ? ~0ULL : 0;
INIT_LIST_HEAD(&context->killed_trees);
INIT_LIST_HEAD(&context->names_list);
context->fds[0] = -1;
@@ -950,7 +950,7 @@ int audit_alloc(struct task_struct *tsk)
return 0; /* Return if not auditing. */
state = audit_filter_task(tsk, &key);
- if (state == AUDIT_DISABLED) {
+ if (state == AUDITSC_DISABLED) {
clear_task_syscall_work(tsk, SYSCALL_AUDIT);
return 0;
}
@@ -1628,7 +1628,7 @@ void __audit_free(struct task_struct *tsk)
audit_filter_syscall(tsk, context);
audit_filter_inodes(tsk, context);
- if (context->current_state == AUDIT_RECORD_CONTEXT)
+ if (context->current_state == AUDITSC_RECORD_CONTEXT)
audit_log_exit();
}
@@ -1647,7 +1647,7 @@ void __audit_free(struct task_struct *tsk)
* Fill in audit context at syscall entry. This only happens if the
* audit context was created when the task was created and the state or
* filters demand the audit context be built. If the state from the
- * per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT,
+ * per-task filter or from the per-syscall filter is AUDITSC_RECORD_CONTEXT,
* then the record will be written at syscall exit time (otherwise, it
* will only be written if another part of the kernel requests that it
* be written).
@@ -1664,11 +1664,11 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
BUG_ON(context->in_syscall || context->name_count);
state = context->state;
- if (state == AUDIT_DISABLED)
+ if (state == AUDITSC_DISABLED)
return;
context->dummy = !audit_n_rules;
- if (!context->dummy && state == AUDIT_BUILD_CONTEXT) {
+ if (!context->dummy && state == AUDITSC_BUILD_CONTEXT) {
context->prio = 0;
if (auditd_test_task(current))
return;
@@ -1693,7 +1693,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
* @return_code: return value of the syscall
*
* Tear down after system call. If the audit context has been marked as
- * auditable (either because of the AUDIT_RECORD_CONTEXT state from
+ * auditable (either because of the AUDITSC_RECORD_CONTEXT state from
* filtering, or because some other part of the kernel wrote an audit
* message), then write out the syscall information. In call cases,
* free the names stored from getname().
@@ -1735,12 +1735,12 @@ void __audit_syscall_exit(int success, long return_code)
audit_filter_syscall(current, context);
audit_filter_inodes(current, context);
- if (context->current_state == AUDIT_RECORD_CONTEXT)
+ if (context->current_state == AUDITSC_RECORD_CONTEXT)
audit_log_exit();
}
context->in_syscall = 0;
- context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
+ context->prio = context->state == AUDITSC_RECORD_CONTEXT ? ~0ULL : 0;
audit_free_module(context);
audit_free_names(context);
@@ -1753,7 +1753,7 @@ void __audit_syscall_exit(int success, long return_code)
context->sockaddr_len = 0;
context->type = 0;
context->fds[0] = -1;
- if (context->state != AUDIT_RECORD_CONTEXT) {
+ if (context->state != AUDITSC_RECORD_CONTEXT) {
kfree(context->filterkey);
context->filterkey = NULL;
}
@@ -2203,7 +2203,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
*serial = ctx->serial;
if (!ctx->prio) {
ctx->prio = 1;
- ctx->current_state = AUDIT_RECORD_CONTEXT;
+ ctx->current_state = AUDITSC_RECORD_CONTEXT;
}
return 1;
}
--
1.8.3.1
3 years, 4 months
[PATCH 1/1] audit: remove trailing spaces and tabs
by Zhen Lei
Run the following command to find and remove the trailing spaces and tabs:
sed -r -i 's/[ \t]+$//' kernel/audit*
Signed-off-by: Zhen Lei <thunder.leizhen(a)huawei.com>
---
kernel/audit.h | 2 +-
kernel/auditsc.c | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 1522e100fd17..cab3e2652dab 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: GPL-2.0-or-later */
-/* audit -- definition of audit_context structure and supporting types
+/* audit -- definition of audit_context structure and supporting types
*
* Copyright 2003-2004 Red Hat, Inc.
* Copyright 2005 Hewlett-Packard Development Company, L.P.
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 0a9a1569f1ea..679a43fd342a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -343,13 +343,13 @@ static int audit_compare_uid(kuid_t uid,
{
struct audit_names *n;
int rc;
-
+
if (name) {
rc = audit_uid_comparator(uid, f->op, name->uid);
if (rc)
return rc;
}
-
+
if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
rc = audit_uid_comparator(uid, f->op, n->uid);
@@ -367,13 +367,13 @@ static int audit_compare_gid(kgid_t gid,
{
struct audit_names *n;
int rc;
-
+
if (name) {
rc = audit_gid_comparator(gid, f->op, name->gid);
if (rc)
return rc;
}
-
+
if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
rc = audit_gid_comparator(gid, f->op, n->gid);
--
2.25.1
3 years, 4 months
[RFC PATCH] audit: reduce the number of kauditd_thread wakeups
by Paul Moore
[NOTE: As this is an RFC patch, I wanted to add some commentary at
the top of the patch description explaining where this patch came
from and what testing has been done. This patch is a derivative
of another unreleased patch that removed all of the wake up calls
from the audit_log_start() and audit_log_end() functions; while
that patch worked well, there we some record losees with high
volume burst traffic in the case of `auditctl -a task,never` or
CONFIG_AUDITSYSCALL=n. As this patch doesn't completely remove
the wake up calls these two cases should behave similarly to how
they do today. As far as testing is concerned, this patch passes
both the audit-testsuite and selinux-testsuite without problem and
with expected audit queue losses (no losses outside of the tests
which attempt to generate losses). This patch also preserves the
ability for the system to continue to function, in the
`auditctl -a exit,always -S all` case, albeit very slowly.]
When audit is enabled, the kauditd_thread() function runs in its own
kernel thread, emptying the audit record queue and sending the
entries to userspace via different means. As part of its normal
processing it goes to sleep after emptying the queue and waits for
the audit functions to wake it.
The current audit kernel code attempts to wake the kauditd thread
after each entry is added to the queue. Considering that a single
syscall can have multiple audit records, with each wake attempt
involving locking and additional processing, this can be rather
wasteful. In an effort to limit the number of wake attempts without
unnecessarily risking the audit queue size this patch does the
following:
* In the case of syscall auditing the wake up call is moved from
audit_log_end() to audit_log_exit() meaning that the kauditd
thread is only woken once, at the end of the syscall, after all of
the syscall's audit records have been added to the queue.
* In the case where audit records are generated outside of a syscall
context, the wake up call in audit_log_end() is preserved in order
to ensure that these records do not suffer any additional latency
or put unnecessary pressure on the queue. This is done through
some additional checking in audit_log_start() and an additional
flag in the audit_buffer struct.
* The audit_log_start() function never attempts to wake the kauditd
thread. In the current code this is only done when the queue is
under pressure, but at that point it is extremely likely that the
thread is already active or scheduled, do we should be able to
safely remove this wake attempt.
* Always wake the kauditd thread after processing management and
user records in audit_receive_msg(). This should be relatively
low frequency compared to the other audit sources, and doing a
wake call here helps keep record latency low and the queue size
in check.
* The kauditd thread itself is now a bit better at handling high
volume audit record bursts. Previously after emptying the queue
the thread would wake every process that was blocked and then go
to sleep; possibly going to sleep just a flood of new records
are added to the queue. The new kauditd thread approach wakes all
of the blocked processes and then reschedules itself in
anticipation of new records. When the thread returns to execution
it checks the queue and if there are any records present it
immediately starts processing them, if the queue is empty the
kauditd thread goes back to sleep.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
kernel/audit.c | 66 ++++++++++++++++++++++++++++++++++++++----------------
kernel/audit.h | 2 ++
kernel/auditsc.c | 2 ++
3 files changed, 51 insertions(+), 19 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 551a394bc8f42..7c3368835bb71 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -197,9 +197,10 @@ static struct audit_ctl_mutex {
* to place it on a transmit queue. Multiple audit_buffers can be in
* use simultaneously. */
struct audit_buffer {
- struct sk_buff *skb; /* formatted skb ready to send */
- struct audit_context *ctx; /* NULL or associated context */
- gfp_t gfp_mask;
+ struct sk_buff *skb;
+ struct audit_context *ctx;
+ gfp_t gfp_mask;
+ unsigned int kauditd_wake:1;
};
struct audit_reply {
@@ -804,6 +805,17 @@ static void kauditd_send_multicast_skb(struct sk_buff *skb)
nlmsg_multicast(sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
}
+/**
+ * kauditd_wakeup - Wake the kauditd_thread
+ *
+ * Description:
+ * Wake up the kauditd_thread thread so that it can process the audit queues.
+ */
+void kauditd_wakeup(void)
+{
+ wake_up_interruptible(&kauditd_wait);
+}
+
/**
* kauditd_thread - Worker thread to send audit records to userspace
* @dummy: unused
@@ -832,6 +844,7 @@ static int kauditd_thread(void *dummy)
portid = ac->portid;
rcu_read_unlock();
+all_queues:
/* attempt to flush the hold queue */
rc = kauditd_send_queue(sk, portid,
&audit_hold_queue, UNICAST_RETRIES,
@@ -861,25 +874,33 @@ static int kauditd_thread(void *dummy)
kauditd_send_multicast_skb,
(sk ?
kauditd_retry_skb : kauditd_hold_skb));
- if (ac && rc < 0)
+ if (ac && rc < 0) {
auditd_reset(ac);
- sk = NULL;
+ goto disconnect;
+ }
+
+ /* we have processed all the queues so wake everyone who might
+ * be waiting, reschedule ourselves to give others a chance to
+ * run, and check the queue once again when we return; if
+ * everything is quiet then we can go back to sleep */
+ wake_up(&audit_backlog_wait);
+ cond_resched();
+ if (skb_queue_len(&audit_queue))
+ goto all_queues;
+disconnect:
/* drop our netns reference, no auditd sends past this line */
+ sk = NULL;
if (net) {
put_net(net);
net = NULL;
}
- /* we have processed all the queues so wake everyone */
- wake_up(&audit_backlog_wait);
-
/* NOTE: we want to wake up if there is anything on the queue,
* regardless of if an auditd is connected, as we need to
* do the multicast send and rotate records from the
* main queue to the retry/hold queues */
- wait_event_freezable(kauditd_wait,
- (skb_queue_len(&audit_queue) ? 1 : 0));
+ wait_event_freezable(kauditd_wait, skb_queue_len(&audit_queue));
}
return 0;
@@ -1509,6 +1530,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
break;
}
+ /* poke the kauditd_thread to handle any records we generated */
+ kauditd_wakeup();
+
return err < 0 ? err : 0;
}
@@ -1750,6 +1774,7 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
ab->ctx = ctx;
ab->gfp_mask = gfp_mask;
+ ab->kauditd_wake = 0;
return ab;
@@ -1831,14 +1856,10 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
while (audit_backlog_limit &&
(skb_queue_len(&audit_queue) > audit_backlog_limit)) {
- /* wake kauditd to try and flush the queue */
- wake_up_interruptible(&kauditd_wait);
-
/* sleep if we are allowed and we haven't exhausted our
* backlog wait limit */
if (gfpflags_allow_blocking(gfp_mask) && (stime > 0)) {
long rtime = stime;
-
DECLARE_WAITQUEUE(wait, current);
add_wait_queue_exclusive(&audit_backlog_wait,
@@ -1864,10 +1885,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
return NULL;
}
- audit_get_stamp(ab->ctx, &t, &serial);
/* cancel dummy context to enable supporting records */
if (ctx)
ctx->dummy = 0;
+ /* force a kauditd wakeup if the normal syscall exit isn't doing it */
+ if (!ctx || !ctx->in_syscall)
+ ab->kauditd_wake = 1;
+
+ audit_get_stamp(ab->ctx, &t, &serial);
audit_log_format(ab, "audit(%llu.%03lu:%u): ",
(unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
@@ -2365,8 +2390,8 @@ int audit_signal_info(int sig, struct task_struct *t)
*
* We can not do a netlink send inside an irq context because it blocks (last
* arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
- * queue and a kthread is scheduled to remove them from the queue outside the
- * irq context. May be called in any context.
+ * queue where a kthread processes the buffer from outside the irq context.
+ * May be called in any context.
*/
void audit_log_end(struct audit_buffer *ab)
{
@@ -2385,9 +2410,12 @@ void audit_log_end(struct audit_buffer *ab)
nlh = nlmsg_hdr(skb);
nlh->nlmsg_len = skb->len - NLMSG_HDRLEN;
- /* queue the netlink packet and poke the kauditd thread */
+ /* queue the netlink packet */
skb_queue_tail(&audit_queue, skb);
- wake_up_interruptible(&kauditd_wait);
+
+ /* only wakeup kauditd if we can't do it later */
+ if (ab->kauditd_wake)
+ kauditd_wakeup();
} else
audit_log_lost("rate limit exceeded");
diff --git a/kernel/audit.h b/kernel/audit.h
index 3b9c0945225a1..b5f677017e975 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -213,6 +213,8 @@ static inline int audit_hash_ino(u32 ino)
/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1
+extern void kauditd_wakeup(void);
+
extern int audit_match_class(int class, unsigned syscall);
extern int audit_comparator(const u32 left, const u32 op, const u32 right);
extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 47fb48f42c934..bad776497438f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1600,6 +1600,8 @@ static void audit_log_exit(void)
audit_log_end(ab);
if (call_panic)
audit_panic("error converting sid to string");
+
+ kauditd_wakeup();
}
/**
3 years, 4 months
Unhelpful events
by Steve Grubb
Hello,
While patching up the event normalizer, I run across these events which
really have no useful information:
type=BPF msg=audit(1622913714.840:15017): prog-id=137 op=UNLOAD
type=TIME_INJOFFSET msg=audit(1622547739.500:4): sec=0 nsec=486383948
type=NETFILTER_CFG msg=audit(06/06/2021 08:44:53.947:976) : table=filter
family=bridge entries=0 op=xt_unregister pid=5833
subj=system_u:system_r:kernel_t:s0 comm=kworker/u16:3
Either their syscall record is missing or they simply do not have all the
necessary information. (Subject, action, object, results)
-Steve
3 years, 4 months
Current problematic cases with immutable loginuid
by Andreas Hasenack
Hi,
I was reading up on setting loginuid immutable, and was wondering what
are the current known problematic cases.
In general, anything that requires switching a set loginuid to another
value will be blocked:
- sshd started on another port by the logged in user to debug
something, and that debug requires logging in as a different user than
the one who started it up
- container that starts up within the user's session, instead of via
dockerd/containerd, systemd, or some other already-running daemon. I
read a lengthy bug in Redhat's bugzilla about a bad interaction with
systemd's nspawn, where apparently the container is started directly,
and thus inheriting the user's loginuid, instead of being started via
a request to systemd (the daemon)
The manpage mentions "certain kinds of containers", and I assume it's
a reference to nspawn's case above.
Are there other prominent problematic situations that people have
encountered while setting loginuid immutable?
3 years, 4 months