From: Lennart Poettering Date: Mon, 3 Nov 2014 20:09:38 +0000 (+0100) Subject: core: introduce ConditionSecurity=audit X-Git-Tag: v218~593 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=cfb1f5df7ce6868d3edb7333591b91c9809d64d3 core: introduce ConditionSecurity=audit And conditionalize journald audit support with it --- diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 803eff24a..6d4c5c11e 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1080,14 +1080,15 @@ ConditionSecurity= may be used to check whether the given security module is enabled on the - system. Currently the recognized values - values are selinux, + system. Currently the recognized + values values are + selinux, apparmor, - ima and - smack. - The test may be negated by prepending - an exclamation - mark. + ima, + smack and + audit. The test may + be negated by prepending an + exclamation mark. ConditionCapability= may be used to check whether the given diff --git a/src/core/condition.c b/src/core/condition.c index ec78169fc..8e2e3118d 100644 --- a/src/core/condition.c +++ b/src/core/condition.c @@ -38,6 +38,7 @@ #include "apparmor-util.h" #include "ima-util.h" #include "selinux-util.h" +#include "audit.h" static bool condition_test_security(Condition *c) { assert(c); @@ -50,6 +51,8 @@ static bool condition_test_security(Condition *c) { return mac_smack_use() == !c->negate; if (streq(c->parameter, "apparmor")) return mac_apparmor_use() == !c->negate; + if (streq(c->parameter, "audit")) + return use_audit() == !c->negate; if (streq(c->parameter, "ima")) return use_ima() == !c->negate; diff --git a/src/shared/audit.c b/src/shared/audit.c index f10105082..4701c0a8d 100644 --- a/src/shared/audit.c +++ b/src/shared/audit.c @@ -80,3 +80,21 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) { *uid = (uid_t) u; return 0; } + +bool use_audit(void) { + static int cached_use = -1; + + if (cached_use < 0) { + int fd; + + fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); + if (fd < 0) + cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT; + else { + cached_use = true; + safe_close(fd); + } + } + + return cached_use; +} diff --git a/src/shared/audit.h b/src/shared/audit.h index 0effc0baa..b4aecffb3 100644 --- a/src/shared/audit.h +++ b/src/shared/audit.h @@ -27,3 +27,5 @@ int audit_session_from_pid(pid_t pid, uint32_t *id); int audit_loginuid_from_pid(pid_t pid, uid_t *uid); + +bool use_audit(void); diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket index ce849da04..35397aaeb 100644 --- a/units/systemd-journald-audit.socket +++ b/units/systemd-journald-audit.socket @@ -10,6 +10,7 @@ Description=Journal Audit Socket Documentation=man:systemd-journald.service(8) man:journald.conf(5) DefaultDependencies=no Before=sockets.target +ConditionSecurity=audit [Socket] Service=systemd-journald.service