core: introduce ConditionSecurity=audit

And conditionalize journald audit support with it

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 803eff24aa691e918e0e74939ac758222d286ca3..6d4c5c11eb6fab3bb4832a512e60063f4a2e5cb2 100644 (file)
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1080,14 +1080,15 @@
                                 <para><varname>ConditionSecurity=</varname>
                                 may be used to check whether the given
                                 security module is enabled on the
                                 <para><varname>ConditionSecurity=</varname>
                                 may be used to check whether the given
                                 security module is enabled on the

-                                system. Currently the recognized values
-                                values are <varname>selinux</varname>,
+                                system. Currently the recognized
+                                values values are
+                                <varname>selinux</varname>,

                                 <varname>apparmor</varname>,
                                 <varname>apparmor</varname>,

-                                <varname>ima</varname> and
-                                <varname>smack</varname>.
-                                The test may be negated by prepending
-                                an exclamation
-                                mark.</para>
+                                <varname>ima</varname>,
+                                <varname>smack</varname> and
+                                <varname>audit</varname>. The test may
+                                be negated by prepending an
+                                exclamation mark.</para>

 
                                 <para><varname>ConditionCapability=</varname>
                                 may be used to check whether the given
 
                                 <para><varname>ConditionCapability=</varname>
                                 may be used to check whether the given

diff --git a/src/core/condition.c b/src/core/condition.c
index ec78169fc309355b2cf5ce4677e12e733e07daf1..8e2e3118d7f85e09535cc7b465129c466604c31e 100644 (file)
--- a/src/core/condition.c
+++ b/src/core/condition.c
@@ -38,6 +38,7 @@
 #include "apparmor-util.h"
 #include "ima-util.h"
 #include "selinux-util.h"
 #include "apparmor-util.h"
 #include "ima-util.h"
 #include "selinux-util.h"

+#include "audit.h"

 
 static bool condition_test_security(Condition *c) {
         assert(c);
 
 static bool condition_test_security(Condition *c) {
         assert(c);


@@ -50,6 +51,8 @@ static bool condition_test_security(Condition *c) {
                 return mac_smack_use() == !c->negate;
         if (streq(c->parameter, "apparmor"))
                 return mac_apparmor_use() == !c->negate;
                 return mac_smack_use() == !c->negate;
         if (streq(c->parameter, "apparmor"))
                 return mac_apparmor_use() == !c->negate;

+        if (streq(c->parameter, "audit"))
+                return use_audit() == !c->negate;

         if (streq(c->parameter, "ima"))
                 return use_ima() == !c->negate;
 
         if (streq(c->parameter, "ima"))
                 return use_ima() == !c->negate;
 

diff --git a/src/shared/audit.c b/src/shared/audit.c
index f101050825384ff43e5b8e1f711dfc6c93f21e09..4701c0a8de856548d1eb7b8e0d31dd9304636872 100644 (file)
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -80,3 +80,21 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
         *uid = (uid_t) u;
         return 0;
 }
         *uid = (uid_t) u;
         return 0;
 }

+
+bool use_audit(void) {
+        static int cached_use = -1;
+
+        if (cached_use < 0) {
+                int fd;
+
+                fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
+                if (fd < 0)
+                        cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT;
+                else {
+                        cached_use = true;
+                        safe_close(fd);
+                }
+        }
+
+        return cached_use;
+}

diff --git a/src/shared/audit.h b/src/shared/audit.h
index 0effc0baa04fccc14a3f5a34ba0418fb6a3960c6..b4aecffb3057cd245926cec68500d11dbd1c9f69 100644 (file)
--- a/src/shared/audit.h
+++ b/src/shared/audit.h
@@ -27,3 +27,5 @@
 
 int audit_session_from_pid(pid_t pid, uint32_t *id);
 int audit_loginuid_from_pid(pid_t pid, uid_t *uid);
 
 int audit_session_from_pid(pid_t pid, uint32_t *id);
 int audit_loginuid_from_pid(pid_t pid, uid_t *uid);

+
+bool use_audit(void);

diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket
index ce849da046f7979673a649e8f5ffe4cdfd9f665f..35397aaeb89a387f0560eca42a5e7307f62322c8 100644 (file)
--- a/units/systemd-journald-audit.socket
+++ b/units/systemd-journald-audit.socket
@@ -10,6 +10,7 @@ Description=Journal Audit Socket
 Documentation=man:systemd-journald.service(8) man:journald.conf(5)
 DefaultDependencies=no
 Before=sockets.target
 Documentation=man:systemd-journald.service(8) man:journald.conf(5)
 DefaultDependencies=no
 Before=sockets.target

+ConditionSecurity=audit

 
 [Socket]
 Service=systemd-journald.service
 
 [Socket]
 Service=systemd-journald.service