• Eric Paris's avatar
    AUDIT: Allow login in non-init namespaces · aa4af831
    Eric Paris authored
    It its possible to configure your PAM stack to refuse login if audit
    messages (about the login) were unable to be sent.  This is common in
    many distros and thus normal configuration of many containers.  The PAM
    modules determine if audit is enabled/disabled in the kernel based on
    the return value from sending an audit message on the netlink socket.
    If userspace gets back ECONNREFUSED it believes audit is disabled in the
    kernel.  If it gets any other error else it refuses to let the login
    proceed.
    
    Just about ever since the introduction of namespaces the kernel audit
    subsystem has returned EPERM if the task sending a message was not in
    the init user or pid namespace.  So many forms of containers have never
    worked if audit was enabled in the kernel.
    
    BUT if the container was not in net_init then the kernel network code
    would send ECONNREFUSED (instead of the audit code sending EPERM).  Thus
    by pure accident/dumb luck/bug if an admin configured the PAM stack to
    reject all logins that didn't talk to audit, but then ran the login
    untility in the non-init_net namespace, it would work!! Clearly this was
    a bug, but it is a bug some people expected.
    
    With the introduction of network namespace support in 3.14-rc1 the two
    bugs stopped cancelling each other out.  Now, containers in the
    non-init_net namespace refused to let users log in (just like PAM was
    configfured!) Obviously some people were not happy that what used to let
    users log in, now didn't!
    
    This fix is kinda hacky.  We return ECONNREFUSED for all non-init
    relevant namespaces.  That means that not only will the old broken
    non-init_net setups continue to work, now the broken non-init_pid or
    non-init_user setups will 'work'.  They don't really work, since audit
    isn't logging things.  But it's what most users want.
    
    In 3.15 we should have patches to support not only the non-init_net
    (3.14) namespace but also the non-init_pid and non-init_user namespace.
    So all will be right in the world.  This just opens the doors wide open
    on 3.14 and hopefully makes users happy, if not the audit system...
    Reported-by: default avatarAndre Tomt <andre@tomt.net>
    Reported-by: default avatarAdam Richter <adam_richter2004@yahoo.com>
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    aa4af831
audit.c 50.9 KB