chiark / gitweb /
core: introduce ConditionSecurity=audit
authorLennart Poettering <lennart@poettering.net>
Mon, 3 Nov 2014 20:09:38 +0000 (21:09 +0100)
committerLennart Poettering <lennart@poettering.net>
Mon, 3 Nov 2014 20:51:28 +0000 (21:51 +0100)
And conditionalize journald audit support with it

man/systemd.unit.xml
src/core/condition.c
src/shared/audit.c
src/shared/audit.h
units/systemd-journald-audit.socket

index 803eff2..6d4c5c1 100644 (file)
                                 <para><varname>ConditionSecurity=</varname>
                                 may be used to check whether the given
                                 security module is enabled on the
-                                system. Currently the recognized values
-                                values are <varname>selinux</varname>,
+                                system. Currently the recognized
+                                values values are
+                                <varname>selinux</varname>,
                                 <varname>apparmor</varname>,
-                                <varname>ima</varname> and
-                                <varname>smack</varname>.
-                                The test may be negated by prepending
-                                an exclamation
-                                mark.</para>
+                                <varname>ima</varname>,
+                                <varname>smack</varname> and
+                                <varname>audit</varname>. The test may
+                                be negated by prepending an
+                                exclamation mark.</para>
 
                                 <para><varname>ConditionCapability=</varname>
                                 may be used to check whether the given
index ec78169..8e2e311 100644 (file)
@@ -38,6 +38,7 @@
 #include "apparmor-util.h"
 #include "ima-util.h"
 #include "selinux-util.h"
+#include "audit.h"
 
 static bool condition_test_security(Condition *c) {
         assert(c);
@@ -50,6 +51,8 @@ static bool condition_test_security(Condition *c) {
                 return mac_smack_use() == !c->negate;
         if (streq(c->parameter, "apparmor"))
                 return mac_apparmor_use() == !c->negate;
+        if (streq(c->parameter, "audit"))
+                return use_audit() == !c->negate;
         if (streq(c->parameter, "ima"))
                 return use_ima() == !c->negate;
 
index f101050..4701c0a 100644 (file)
@@ -80,3 +80,21 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
         *uid = (uid_t) u;
         return 0;
 }
+
+bool use_audit(void) {
+        static int cached_use = -1;
+
+        if (cached_use < 0) {
+                int fd;
+
+                fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
+                if (fd < 0)
+                        cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT;
+                else {
+                        cached_use = true;
+                        safe_close(fd);
+                }
+        }
+
+        return cached_use;
+}
index 0effc0b..b4aecff 100644 (file)
@@ -27,3 +27,5 @@
 
 int audit_session_from_pid(pid_t pid, uint32_t *id);
 int audit_loginuid_from_pid(pid_t pid, uid_t *uid);
+
+bool use_audit(void);
index ce849da..35397aa 100644 (file)
@@ -10,6 +10,7 @@ Description=Journal Audit Socket
 Documentation=man:systemd-journald.service(8) man:journald.conf(5)
 DefaultDependencies=no
 Before=sockets.target
+ConditionSecurity=audit
 
 [Socket]
 Service=systemd-journald.service