mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 18:55:40 +03:00
Merge pull request #1542 from keszybz/journal-audit-optional
Make journald audit socket maskable
This commit is contained in:
commit
18438f262c
@ -374,6 +374,7 @@ MANPAGES_ALIAS += \
|
|||||||
man/systemd-hybrid-sleep.service.8 \
|
man/systemd-hybrid-sleep.service.8 \
|
||||||
man/systemd-initctl.8 \
|
man/systemd-initctl.8 \
|
||||||
man/systemd-initctl.socket.8 \
|
man/systemd-initctl.socket.8 \
|
||||||
|
man/systemd-journald-audit.socket.8 \
|
||||||
man/systemd-journald-dev-log.socket.8 \
|
man/systemd-journald-dev-log.socket.8 \
|
||||||
man/systemd-journald.8 \
|
man/systemd-journald.8 \
|
||||||
man/systemd-journald.socket.8 \
|
man/systemd-journald.socket.8 \
|
||||||
@ -663,6 +664,7 @@ man/systemd-hibernate.service.8: man/systemd-suspend.service.8
|
|||||||
man/systemd-hybrid-sleep.service.8: man/systemd-suspend.service.8
|
man/systemd-hybrid-sleep.service.8: man/systemd-suspend.service.8
|
||||||
man/systemd-initctl.8: man/systemd-initctl.service.8
|
man/systemd-initctl.8: man/systemd-initctl.service.8
|
||||||
man/systemd-initctl.socket.8: man/systemd-initctl.service.8
|
man/systemd-initctl.socket.8: man/systemd-initctl.service.8
|
||||||
|
man/systemd-journald-audit.socket.8: man/systemd-journald.service.8
|
||||||
man/systemd-journald-dev-log.socket.8: man/systemd-journald.service.8
|
man/systemd-journald-dev-log.socket.8: man/systemd-journald.service.8
|
||||||
man/systemd-journald.8: man/systemd-journald.service.8
|
man/systemd-journald.8: man/systemd-journald.service.8
|
||||||
man/systemd-journald.socket.8: man/systemd-journald.service.8
|
man/systemd-journald.socket.8: man/systemd-journald.service.8
|
||||||
@ -1378,6 +1380,9 @@ man/systemd-initctl.html: man/systemd-initctl.service.html
|
|||||||
man/systemd-initctl.socket.html: man/systemd-initctl.service.html
|
man/systemd-initctl.socket.html: man/systemd-initctl.service.html
|
||||||
$(html-alias)
|
$(html-alias)
|
||||||
|
|
||||||
|
man/systemd-journald-audit.socket.html: man/systemd-journald.service.html
|
||||||
|
$(html-alias)
|
||||||
|
|
||||||
man/systemd-journald-dev-log.socket.html: man/systemd-journald.service.html
|
man/systemd-journald-dev-log.socket.html: man/systemd-journald.service.html
|
||||||
$(html-alias)
|
$(html-alias)
|
||||||
|
|
||||||
|
@ -46,6 +46,7 @@
|
|||||||
<refname>systemd-journald.service</refname>
|
<refname>systemd-journald.service</refname>
|
||||||
<refname>systemd-journald.socket</refname>
|
<refname>systemd-journald.socket</refname>
|
||||||
<refname>systemd-journald-dev-log.socket</refname>
|
<refname>systemd-journald-dev-log.socket</refname>
|
||||||
|
<refname>systemd-journald-audit.socket</refname>
|
||||||
<refname>systemd-journald</refname>
|
<refname>systemd-journald</refname>
|
||||||
<refpurpose>Journal service</refpurpose>
|
<refpurpose>Journal service</refpurpose>
|
||||||
</refnamediv>
|
</refnamediv>
|
||||||
@ -54,6 +55,7 @@
|
|||||||
<para><filename>systemd-journald.service</filename></para>
|
<para><filename>systemd-journald.service</filename></para>
|
||||||
<para><filename>systemd-journald.socket</filename></para>
|
<para><filename>systemd-journald.socket</filename></para>
|
||||||
<para><filename>systemd-journald-dev-log.socket</filename></para>
|
<para><filename>systemd-journald-dev-log.socket</filename></para>
|
||||||
|
<para><filename>systemd-journald-audit.socket</filename></para>
|
||||||
<para><filename>/usr/lib/systemd/systemd-journald</filename></para>
|
<para><filename>/usr/lib/systemd/systemd-journald</filename></para>
|
||||||
</refsynopsisdiv>
|
</refsynopsisdiv>
|
||||||
|
|
||||||
@ -232,6 +234,19 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
|
|||||||
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
configuration file.</para></listitem>
|
configuration file.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><filename>/dev/kmsg</filename></term>
|
||||||
|
<term><filename>/dev/log</filename></term>
|
||||||
|
<term><filename>/run/systemd/journal/dev-log</filename></term>
|
||||||
|
<term><filename>/run/systemd/journal/socket</filename></term>
|
||||||
|
<term><filename>/run/systemd/journal/stdout</filename></term>
|
||||||
|
|
||||||
|
<listitem><para>Sockets that
|
||||||
|
<command>systemd-journald</command> will listen on that are
|
||||||
|
visible in the file system. In addition to those, journald can
|
||||||
|
listen for audit events using netlink.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
@ -1446,6 +1446,7 @@ static int server_open_hostname(Server *s) {
|
|||||||
int server_init(Server *s) {
|
int server_init(Server *s) {
|
||||||
_cleanup_fdset_free_ FDSet *fds = NULL;
|
_cleanup_fdset_free_ FDSet *fds = NULL;
|
||||||
int n, r, fd;
|
int n, r, fd;
|
||||||
|
bool no_sockets;
|
||||||
|
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
@ -1555,30 +1556,44 @@ int server_init(Server *s) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
r = server_open_stdout_socket(s, fds);
|
/* Try to restore streams, but don't bother if this fails */
|
||||||
if (r < 0)
|
(void) server_restore_streams(s, fds);
|
||||||
return r;
|
|
||||||
|
|
||||||
if (fdset_size(fds) > 0) {
|
if (fdset_size(fds) > 0) {
|
||||||
log_warning("%u unknown file descriptors passed, closing.", fdset_size(fds));
|
log_warning("%u unknown file descriptors passed, closing.", fdset_size(fds));
|
||||||
fds = fdset_free(fds);
|
fds = fdset_free(fds);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
no_sockets = s->native_fd < 0 && s->stdout_fd < 0 && s->syslog_fd < 0 && s->audit_fd < 0;
|
||||||
|
|
||||||
|
/* always open stdout, syslog, native, and kmsg sockets */
|
||||||
|
|
||||||
|
/* systemd-journald.socket: /run/systemd/journal/stdout */
|
||||||
|
r = server_open_stdout_socket(s);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
/* systemd-journald-dev-log.socket: /run/systemd/journal/dev-log */
|
||||||
r = server_open_syslog_socket(s);
|
r = server_open_syslog_socket(s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
/* systemd-journald.socket: /run/systemd/journal/socket */
|
||||||
r = server_open_native_socket(s);
|
r = server_open_native_socket(s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
/* /dev/ksmg */
|
||||||
r = server_open_dev_kmsg(s);
|
r = server_open_dev_kmsg(s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
/* Unless we got *some* sockets and not audit, open audit socket */
|
||||||
|
if (s->audit_fd >= 0 || no_sockets) {
|
||||||
r = server_open_audit(s);
|
r = server_open_audit(s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
r = server_open_kernel_seqnum(s);
|
r = server_open_kernel_seqnum(s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
@ -627,7 +627,7 @@ static int stdout_stream_restore(Server *s, const char *fname, int fd) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int server_restore_streams(Server *s, FDSet *fds) {
|
int server_restore_streams(Server *s, FDSet *fds) {
|
||||||
_cleanup_closedir_ DIR *d = NULL;
|
_cleanup_closedir_ DIR *d = NULL;
|
||||||
struct dirent *de;
|
struct dirent *de;
|
||||||
int r;
|
int r;
|
||||||
@ -681,7 +681,7 @@ fail:
|
|||||||
return log_error_errno(errno, "Failed to read streams directory: %m");
|
return log_error_errno(errno, "Failed to read streams directory: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
int server_open_stdout_socket(Server *s, FDSet *fds) {
|
int server_open_stdout_socket(Server *s) {
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(s);
|
assert(s);
|
||||||
@ -717,8 +717,5 @@ int server_open_stdout_socket(Server *s, FDSet *fds) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to adjust priority of stdout server event source: %m");
|
return log_error_errno(r, "Failed to adjust priority of stdout server event source: %m");
|
||||||
|
|
||||||
/* Try to restore streams, but don't bother if this fails */
|
|
||||||
(void) server_restore_streams(s, fds);
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -24,6 +24,6 @@
|
|||||||
#include "fdset.h"
|
#include "fdset.h"
|
||||||
#include "journald-server.h"
|
#include "journald-server.h"
|
||||||
|
|
||||||
int server_open_stdout_socket(Server *s, FDSet *fds);
|
int server_open_stdout_socket(Server *s);
|
||||||
|
int server_restore_streams(Server *s, FDSet *fds);
|
||||||
void stdout_stream_free(StdoutStream *s);
|
void stdout_stream_free(StdoutStream *s);
|
||||||
|
Loading…
Reference in New Issue
Block a user