git-history.diyao.me Git - systemd/.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Thu, 7 Nov 2024 13:48:57 +0000 (14:48 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 12 Nov 2024 22:03:03 +0000 (23:03 +0100)
commit	7e02ee98d86702b8e7055f0a6d8e6ea48267ad23
tree	43fbe5e559ff20e9314454d83999432c257a01f8	tree \| snapshot
parent	fa8a55a91422fdf86efe6bc06d73c2fa00fc5bae	commit \| diff

audit-util: return -ENODATA from audit_{session|loginuid}_from_pid() if invoked in a container

The auditing subsystem is still not virtualized for containers, hence the two
values don't really make sense inside them, they will just leak
information from outside into the container. Hence don't make use of the
data if we detect we are run inside of a container.

This has visible effects: logind will no longer try to reuse the
auditing session ids as its own session ids when run inside a container.

While are at it, modernize the calls in more ways:

1. switch to pidref behaviour, all but one of our uses are using pidref
   anyway already.
2. use read_virtual_file() + proc_mounted()
3. reasonable distinguish ENOENT errors when reading the process proc
   files: distinguish the case where /proc is not mounted, from the case
   where the process is already gone, from where auditing is not enabled
   in the kernel build.

src/basic/audit-util.c		diff \| blob \| history
src/basic/audit-util.h		diff \| blob \| history
src/journal/journald-context.c		diff \| blob \| history
src/libsystemd/sd-bus/bus-creds.c		diff \| blob \| history
src/login/logind-dbus.c		diff \| blob \| history
src/login/logind-session.c		diff \| blob \| history
src/test/meson.build		diff \| blob \| history
src/test/test-audit-util.c	[new file with mode: 0644]	blob