core: introduce ConditionSecurity=audit

And conditionalize journald audit support with it
2025-01-21 18:03:41 +03:00 · 2014-11-03 21:09:38 +01:00 · 2014-11-03 21:09:38 +01:00 · cfb1f5df7c
commit cfb1f5df7c
parent 875c2e220e
5 changed files with 32 additions and 7 deletions
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@ -1080,14 +1080,15 @@
                                <para><varname>ConditionSecurity=</varname>
                                may be used to check whether the given
                                security module is enabled on the
-                                system. Currently the recognized values
-                                values are <varname>selinux</varname>,
+                                system. Currently the recognized
+                                values values are
+                                <varname>selinux</varname>,
                                <varname>apparmor</varname>,
-                                <varname>ima</varname> and
-                                <varname>smack</varname>.
-                                The test may be negated by prepending
-                                an exclamation
-                                mark.</para>
+                                <varname>ima</varname>,
+                                <varname>smack</varname> and
+                                <varname>audit</varname>. The test may
+                                be negated by prepending an
+                                exclamation mark.</para>

                                <para><varname>ConditionCapability=</varname>
                                may be used to check whether the given
--- a/src/core/condition.c
+++ b/src/core/condition.c
@ -38,6 +38,7 @@
 #include "apparmor-util.h"
 #include "ima-util.h"
 #include "selinux-util.h"
+#include "audit.h"

 static bool condition_test_security(Condition *c) {
        assert(c);
@ -50,6 +51,8 @@ static bool condition_test_security(Condition *c) {
                return mac_smack_use() == !c->negate;
        if (streq(c->parameter, "apparmor"))
                return mac_apparmor_use() == !c->negate;
+        if (streq(c->parameter, "audit"))
+                return use_audit() == !c->negate;
        if (streq(c->parameter, "ima"))
                return use_ima() == !c->negate;

--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@ -80,3 +80,21 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
        *uid = (uid_t) u;
        return 0;
 }
+
+bool use_audit(void) {
+        static int cached_use = -1;
+
+        if (cached_use < 0) {
+                int fd;
+
+                fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
+                if (fd < 0)
+                        cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT;
+                else {
+                        cached_use = true;
+                        safe_close(fd);
+                }
+        }
+
+        return cached_use;
+}
--- a/src/shared/audit.h
+++ b/src/shared/audit.h
@ -27,3 +27,5 @@

 int audit_session_from_pid(pid_t pid, uint32_t *id);
 int audit_loginuid_from_pid(pid_t pid, uid_t *uid);
+
+bool use_audit(void);
--- a/units/systemd-journald-audit.socket
+++ b/units/systemd-journald-audit.socket
@ -10,6 +10,7 @@ Description=Journal Audit Socket
 Documentation=man:systemd-journald.service(8) man:journald.conf(5)
 DefaultDependencies=no
 Before=sockets.target
+ConditionSecurity=audit

 [Socket]
 Service=systemd-journald.service