Merge pull request #1542 from keszybz/journal-audit-optional

Make journald audit socket maskable
author: Lennart Poettering <lennart@poettering.net> 2015-10-13 17:23:33 +0200
committer: Lennart Poettering <lennart@poettering.net> 2015-10-13 17:23:33 +0200
commit: 18438f262c60823ad01bf88b7a8a326c3e8b511d (patch)
tree: 1ad6aa4c93400a77eeeb8e70e54df4abb5aa52ac
parent: c7e2496a2194557c8c52317209d1020dee845117 (diff)
parent: 37b7affefde5443680d73642a990ce86776e28af (diff)
5 files changed, 46 insertions, 14 deletions
diff --git a/Makefile-man.am b/Makefile-man.am
index 1ff85d7d2c..56aa0fff1b 100644
--- a/Makefile-man.am
+++ b/Makefile-man.am
@@ -374,6 +374,7 @@ MANPAGES_ALIAS += \
 	man/systemd-hybrid-sleep.service.8 \
 	man/systemd-initctl.8 \
 	man/systemd-initctl.socket.8 \
+	man/systemd-journald-audit.socket.8 \
 	man/systemd-journald-dev-log.socket.8 \
 	man/systemd-journald.8 \
 	man/systemd-journald.socket.8 \
@@ -663,6 +664,7 @@ man/systemd-hibernate.service.8: man/systemd-suspend.service.8
 man/systemd-hybrid-sleep.service.8: man/systemd-suspend.service.8
 man/systemd-initctl.8: man/systemd-initctl.service.8
 man/systemd-initctl.socket.8: man/systemd-initctl.service.8
+man/systemd-journald-audit.socket.8: man/systemd-journald.service.8
 man/systemd-journald-dev-log.socket.8: man/systemd-journald.service.8
 man/systemd-journald.8: man/systemd-journald.service.8
 man/systemd-journald.socket.8: man/systemd-journald.service.8
@@ -1378,6 +1380,9 @@ man/systemd-initctl.html: man/systemd-initctl.service.html
 man/systemd-initctl.socket.html: man/systemd-initctl.service.html
 	$(html-alias)
 
+man/systemd-journald-audit.socket.html: man/systemd-journald.service.html
+	$(html-alias)
+
 man/systemd-journald-dev-log.socket.html: man/systemd-journald.service.html
 	$(html-alias)
 
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index bd0082712e..08c631e5a1 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -46,6 +46,7 @@
     <refname>systemd-journald.service</refname>
     <refname>systemd-journald.socket</refname>
     <refname>systemd-journald-dev-log.socket</refname>
+    <refname>systemd-journald-audit.socket</refname>
     <refname>systemd-journald</refname>
     <refpurpose>Journal service</refpurpose>
   </refnamediv>
@@ -54,6 +55,7 @@
     <para><filename>systemd-journald.service</filename></para>
     <para><filename>systemd-journald.socket</filename></para>
     <para><filename>systemd-journald-dev-log.socket</filename></para>
+    <para><filename>systemd-journald-audit.socket</filename></para>
     <para><filename>/usr/lib/systemd/systemd-journald</filename></para>
   </refsynopsisdiv>
 
@@ -230,7 +232,20 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
         <filename>/var/log/journal</filename> is not available, or
         when <option>Storage=volatile</option> is set in the
         <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-        configuration file. </para></listitem>
+        configuration file.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><filename>/dev/kmsg</filename></term>
+        <term><filename>/dev/log</filename></term>
+        <term><filename>/run/systemd/journal/dev-log</filename></term>
+        <term><filename>/run/systemd/journal/socket</filename></term>
+        <term><filename>/run/systemd/journal/stdout</filename></term>
+
+        <listitem><para>Sockets that
+        <command>systemd-journald</command> will listen on that are
+        visible in the file system. In addition to those, journald can
+        listen for audit events using netlink.</para></listitem>
       </varlistentry>
     </variablelist>
   </refsect1>
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index fb172b7f5d..2d2a215f5d 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1446,6 +1446,7 @@ static int server_open_hostname(Server *s) {
 int server_init(Server *s) {
         _cleanup_fdset_free_ FDSet *fds = NULL;
         int n, r, fd;
+        bool no_sockets;
 
         assert(s);
 
@@ -1555,30 +1556,44 @@ int server_init(Server *s) {
                 }
         }
 
-        r = server_open_stdout_socket(s, fds);
-        if (r < 0)
-                return r;
+        /* Try to restore streams, but don't bother if this fails */
+        (void) server_restore_streams(s, fds);
 
         if (fdset_size(fds) > 0) {
                 log_warning("%u unknown file descriptors passed, closing.", fdset_size(fds));
                 fds = fdset_free(fds);
         }
 
+        no_sockets = s->native_fd < 0 && s->stdout_fd < 0 && s->syslog_fd < 0 && s->audit_fd < 0;
+
+        /* always open stdout, syslog, native, and kmsg sockets */
+
+        /* systemd-journald.socket: /run/systemd/journal/stdout */
+        r = server_open_stdout_socket(s);
+        if (r < 0)
+                return r;
+
+        /* systemd-journald-dev-log.socket: /run/systemd/journal/dev-log */
         r = server_open_syslog_socket(s);
         if (r < 0)
                 return r;
 
+        /* systemd-journald.socket: /run/systemd/journal/socket */
         r = server_open_native_socket(s);
         if (r < 0)
                 return r;
 
+        /* /dev/ksmg */
         r = server_open_dev_kmsg(s);
         if (r < 0)
                 return r;
 
-        r = server_open_audit(s);
-        if (r < 0)
-                return r;
+        /* Unless we got *some* sockets and not audit, open audit socket */
+        if (s->audit_fd >= 0 || no_sockets) {
+                r = server_open_audit(s);
+                if (r < 0)
+                        return r;
+        }
 
         r = server_open_kernel_seqnum(s);
         if (r < 0)
diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
index 69e2d41863..cbdaa3b888 100644
--- a/src/journal/journald-stream.c
+++ b/src/journal/journald-stream.c
@@ -627,7 +627,7 @@ static int stdout_stream_restore(Server *s, const char *fname, int fd) {
         return 0;
 }
 
-static int server_restore_streams(Server *s, FDSet *fds) {
+int server_restore_streams(Server *s, FDSet *fds) {
         _cleanup_closedir_ DIR *d = NULL;
         struct dirent *de;
         int r;
@@ -681,7 +681,7 @@ fail:
         return log_error_errno(errno, "Failed to read streams directory: %m");
 }
 
-int server_open_stdout_socket(Server *s, FDSet *fds) {
+int server_open_stdout_socket(Server *s) {
         int r;
 
         assert(s);
@@ -717,8 +717,5 @@ int server_open_stdout_socket(Server *s, FDSet *fds) {
         if (r < 0)
                 return log_error_errno(r, "Failed to adjust priority of stdout server event source: %m");
 
-        /* Try to restore streams, but don't bother if this fails */
-        (void) server_restore_streams(s, fds);
-
         return 0;
 }
diff --git a/src/journal/journald-stream.h b/src/journal/journald-stream.h
index 94bf955d78..257dce45df 100644
--- a/src/journal/journald-stream.h
+++ b/src/journal/journald-stream.h
@@ -24,6 +24,6 @@
 #include "fdset.h"
 #include "journald-server.h"
 
-int server_open_stdout_socket(Server *s, FDSet *fds);
-
+int server_open_stdout_socket(Server *s);
+int server_restore_streams(Server *s, FDSet *fds);
 void stdout_stream_free(StdoutStream *s);
author	Lennart Poettering <lennart@poettering.net>	2015-10-13 17:23:33 +0200
committer	Lennart Poettering <lennart@poettering.net>	2015-10-13 17:23:33 +0200
commit	18438f262c60823ad01bf88b7a8a326c3e8b511d (patch)
tree	1ad6aa4c93400a77eeeb8e70e54df4abb5aa52ac
parent	c7e2496a2194557c8c52317209d1020dee845117 (diff)
parent	37b7affefde5443680d73642a990ce86776e28af (diff)