From: Jon Masters <j...@jonmasters.org>
Systemd relies upon CONFIG_AUDITSYSCALL support being present in the kernel.
This is because systemd-logind calls audit_session_from_pid, which uses
/proc/self/sessionid to determine whether an existing session is being
replaced as part of e.g. a call to sudo, pkexec, or similar. Without
support for system call auditing, these commands will silently fail as
their session is killed immediately after it is created by systemd.
For now, add a check after the existing cgroups test, but in the future
these functions should all move into a generic check_kconfig function
that tests all of the configured kernel options, including these for
compliance with the evolving base platform requirements of systemd.
Signed-off-by: Jon Masters <j...@jonmasters.org>
---
src/core/main.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/core/main.c b/src/core/main.c
index 71e0a6c..5d5963d 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1243,6 +1243,18 @@ static void test_cgroups(void) {
sleep(10);
}
+static void test_audit_session(void) {
+
+ if (access("/proc/self/sessionid", F_OK) >= 0)
+ return;
+
+ log_warning("CONFIG_AUDITSYSCALL was not set when your kernel was "
+ "compiled. Systems without system call auditing will "
+ "experience session creation problems with commands such "
+ "as sudo, pkexec, and so on. Please fix your kernel or ask
"
+ "your Linux distribution to enable CONFIG_AUDITSYSCALL.");
+}
+
static int initialize_join_controllers(void) {
/* By default, mount "cpu" + "cpuacct" together, and "net_cls"
* + "net_prio". We'd like to add "cpuset" to the mix, but
@@ -1604,6 +1616,7 @@ int main(int argc, char *argv[]) {
test_mtab();
test_usr();
test_cgroups();
+ test_audit_session();
}
if (arg_running_as == SYSTEMD_SYSTEM && arg_runtime_watchdog > 0)
--
1.7.11.7
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
