*** This bug is a security vulnerability ***
Public security bug reported:
systemd-journald-audit.socket attempts to start in unpriviledged LXD
container, but cannot.
It fails with resource. There are no interesting logs inside the
container, or on the host.
The socket unit is as below, and both conditions dopass for the
unpriviledged container.
[Unit]
Description=Journal Audit Socket
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Before=sockets.target
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
[Socket]
Service=systemd-journald.service
ReceiveBuffer=128M
ListenNetlink=audit 1
PassCredentials=yes
Are there any capabilities that are set/not-set for the priviledged/non-
priviledged container in LXD? As in, are there any ways to distinguish
between priviledge / unpriviledged container for which CAP_AUDIT_READ
will in fact work or not?
Currently ubuntu boots degraded inside unpriviledged lxd container, and
that does not look nice. Or attempting to use a capability is the only
way to know for sure?
** Affects: lxd (Ubuntu)
Importance: Undecided
Status: New
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Tags: degraded
** Also affects: lxd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1707901
Title:
systemd-journald-audit.socket attempts to start in unpriviledged LXD
container, but cannot
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1707901/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
