picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #1542 from keszybz/journal-audit-optional

Browse source 
Make journald audit socket maskable
This commit is contained in:
Lennart Poettering 2015-10-13 17:23:33 +02:00
parent c7e2496a21 37b7affefd
commit 18438f262c
5 changed files with 46 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
Makefile-man.am
View file

@ -374,6 +374,7 @@ MANPAGES_ALIAS += \
man/systemd-hybrid-sleep.service.8 \
man/systemd-initctl.8 \
man/systemd-initctl.socket.8 \
man/systemd-journald-audit.socket.8 \
man/systemd-journald-dev-log.socket.8 \
man/systemd-journald.8 \
man/systemd-journald.socket.8 \
@ -663,6 +664,7 @@ man/systemd-hibernate.service.8: man/systemd-suspend.service.8
man/systemd-hybrid-sleep.service.8: man/systemd-suspend.service.8
man/systemd-initctl.8: man/systemd-initctl.service.8
man/systemd-initctl.socket.8: man/systemd-initctl.service.8
man/systemd-journald-audit.socket.8: man/systemd-journald.service.8
man/systemd-journald-dev-log.socket.8: man/systemd-journald.service.8
man/systemd-journald.8: man/systemd-journald.service.8
man/systemd-journald.socket.8: man/systemd-journald.service.8
@ -1378,6 +1380,9 @@ man/systemd-initctl.html: man/systemd-initctl.service.html
man/systemd-initctl.socket.html: man/systemd-initctl.service.html
$(html-alias)
man/systemd-journald-audit.socket.html: man/systemd-journald.service.html
$(html-alias)
man/systemd-journald-dev-log.socket.html: man/systemd-journald.service.html
$(html-alias)

17
man/systemd-journald.service.xml
View file

@ -46,6 +46,7 @@
<refname>systemd-journald.service</refname>
<refname>systemd-journald.socket</refname>
<refname>systemd-journald-dev-log.socket</refname>
<refname>systemd-journald-audit.socket</refname>
<refname>systemd-journald</refname>
<refpurpose>Journal service</refpurpose>
</refnamediv>
@ -54,6 +55,7 @@
<para><filename>systemd-journald.service</filename></para>
<para><filename>systemd-journald.socket</filename></para>
<para><filename>systemd-journald-dev-log.socket</filename></para>
<para><filename>systemd-journald-audit.socket</filename></para>
<para><filename>/usr/lib/systemd/systemd-journald</filename></para>
</refsynopsisdiv>
@ -230,7 +232,20 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
<filename>/var/log/journal</filename> is not available, or
when <option>Storage=volatile</option> is set in the
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
configuration file. </para></listitem>
configuration file.</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>/dev/kmsg</filename></term>
<term><filename>/dev/log</filename></term>
<term><filename>/run/systemd/journal/dev-log</filename></term>
<term><filename>/run/systemd/journal/socket</filename></term>
<term><filename>/run/systemd/journal/stdout</filename></term>
<listitem><para>Sockets that
<command>systemd-journald</command> will listen on that are
visible in the file system. In addition to those, journald can
listen for audit events using netlink.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>

27
src/journal/journald-server.c
View file

@ -1446,6 +1446,7 @@ static int server_open_hostname(Server *s) {
int server_init(Server *s) {
_cleanup_fdset_free_ FDSet *fds = NULL;
int n, r, fd;
bool no_sockets;
assert(s);
@ -1555,30 +1556,44 @@ int server_init(Server *s) {
}
}
r = server_open_stdout_socket(s, fds);
if (r < 0)
return r;
/* Try to restore streams, but don't bother if this fails */
(void) server_restore_streams(s, fds);
if (fdset_size(fds) > 0) {
log_warning("%u unknown file descriptors passed, closing.", fdset_size(fds));
fds = fdset_free(fds);
}
no_sockets = s->native_fd < 0 && s->stdout_fd < 0 && s->syslog_fd < 0 && s->audit_fd < 0;
/* always open stdout, syslog, native, and kmsg sockets */
/* systemd-journald.socket: /run/systemd/journal/stdout */
r = server_open_stdout_socket(s);
if (r < 0)
return r;
/* systemd-journald-dev-log.socket: /run/systemd/journal/dev-log */
r = server_open_syslog_socket(s);
if (r < 0)
return r;
/* systemd-journald.socket: /run/systemd/journal/socket */
r = server_open_native_socket(s);
if (r < 0)
return r;
/* /dev/ksmg */
r = server_open_dev_kmsg(s);
if (r < 0)
return r;
r = server_open_audit(s);
if (r < 0)
return r;
/* Unless we got *some* sockets and not audit, open audit socket */
if (s->audit_fd >= 0 || no_sockets) {
r = server_open_audit(s);
if (r < 0)
return r;
}
r = server_open_kernel_seqnum(s);
if (r < 0)

7
src/journal/journald-stream.c
View file

@ -627,7 +627,7 @@ static int stdout_stream_restore(Server *s, const char *fname, int fd) {
return 0;
}
static int server_restore_streams(Server *s, FDSet *fds) {
int server_restore_streams(Server *s, FDSet *fds) {
_cleanup_closedir_ DIR *d = NULL;
struct dirent *de;
int r;
@ -681,7 +681,7 @@ fail:
return log_error_errno(errno, "Failed to read streams directory: %m");
}
int server_open_stdout_socket(Server *s, FDSet *fds) {
int server_open_stdout_socket(Server *s) {
int r;
assert(s);
@ -717,8 +717,5 @@ int server_open_stdout_socket(Server *s, FDSet *fds) {
if (r < 0)
return log_error_errno(r, "Failed to adjust priority of stdout server event source: %m");
/* Try to restore streams, but don't bother if this fails */
(void) server_restore_streams(s, fds);
return 0;
}

4
src/journal/journald-stream.h
View file

@ -24,6 +24,6 @@
#include "fdset.h"
#include "journald-server.h"
int server_open_stdout_socket(Server *s, FDSet *fds);
int server_open_stdout_socket(Server *s);
int server_restore_streams(Server *s, FDSet *fds);
void stdout_stream_free(StdoutStream *s);