[Bisected] CONFIG_AUDIT in linux-3.14-rc1+ breaking Linux Containers?

Fri Feb 14 22:56:22 UTC 2014

Hi.

If I take an Ubuntu 13.10-amd64 system and install an Ubuntu 13.04-i386 Linux Container, it works fine with kernel.org kernel releases through Linux-3.13, but, for Linux-13.14-rc1 and beyond, I cannot login with "lxc-console".  In that case, if I try to log in as "ubuntu" with the correct password, it quickly tell me the login was incorrect, and prompts me with a new "login:" prompt, but without the delay that occurs if I type in the wrong password.  I haven't bothered breaking into the "linux container", but, looking at its log files from the outside as it runs, I see some PAM errors about "operation not permitted."

I have reproduced this problem with the following container configurations, all on an 
Ubuntu 13.10-amd64 hosts ("amd64" is Ubuntu's terminology, not my jibing Intel):

Ubuntu 13.04-i386
Ubuntu 13.10-i386
Ubuntu 13.10-amd64

I have also reproduced this with a kernel built from git://git.infradead.org/users/eparis/audit.git yesterday (Ubuntu 13.10-amd64 hosting an Ubuntu
 13.04-i386 container).

I have also tried disabling CONFIG_AUDIT{SYSCALL,_WATCH,_TREE} and CONFIG_KVM_MMU_AUDIT from linux-3.14-rc2-x86_64 and still observed the same problem.

Doing a "git bisect" on Linus's public tree brought me to the following change (Ubuntu 13.10-x86_64 hosting an Ubuntu 13.04-i386
 container):

33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb is the first bad commit
commit 33faba7fa7f2288d2f8aaea95958b2c97bf9ebfb
Author: Richard Guy Briggs <rgb at redhat.com>
Date:   Tue Jul 16 13:18:45 2013 -0400

    audit: listen in all network namespaces

    Convert audit from only
 listening in init_net to use register_pernet_subsys()
    to dynamically manage the netlink socket list.

    Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
    Signed-off-by: Eric Paris <eparis at redhat.com>

:040000 040000 3c5f63118d5fe9b5a4f0a6dd828249979a10ffa0 c8feaa4fd9bc260cde3bb703ff20ae6938fabe6a M    kernel

For those of you who are not used to using Linux Containers, here are some commands that should reproduce the bug, although I am going from memory rather than copying from my command history.

% sudo lxc-create -t ubuntu -n myubuntu13.04 -- --release raring --arch i386
# ^^ This takes a while.  It installs a Linux distribution in a directory.

% sudo lxc-start -n myubuntu13.04 -d
% sudo lxc-console
 -n myubuntu13.04
...Try to log in as "ubuntu" with password "ubuntu".  When you'd done, do <ctrl-A>q to disconnect the session.
% sudo lxc-stop -n myubuntu13.04
# This next command basically does "rm -rf" on the container's directory tree.
% sudo lxc-destroy -n myubuntu13.04

In the above example, change "raring" to "saucy" if you want Ubuntu 13.10.  You can change i386 to amd64 to try 64-bit.  "myubuntu13.04" is just a name, which you can change to whatever you want.  The Fedora container template shipped with Ubuntu 13.10 does not install for me, otherwise I would have tested that too.

I am not yet sure if this is really a kernel bug or if this is a case of a valid change in Linux kernel behavior exposing a bug elsewhere (for example, Ubuntu's PAM configuration).  I am not a Linux Audit developer.  I am hoping that, if this is a Linux Audit bug, you folks will be able to take it from here, but I'm happy to try to help as best I
 can.

Thanks in advance for any help with this.

Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140214/f73c0266/attachment.htm>