summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-11-03 21:09:38 +0100
committerLennart Poettering <lennart@poettering.net>2014-11-03 21:51:28 +0100
commitcfb1f5df7ce6868d3edb7333591b91c9809d64d3 (patch)
tree44a3419d44887d8e5d046a1c54c69e624c0a5d42
parent875c2e220e2611165e09051c4747971811f1de58 (diff)
core: introduce ConditionSecurity=audit
And conditionalize journald audit support with it
-rw-r--r--man/systemd.unit.xml15
-rw-r--r--src/core/condition.c3
-rw-r--r--src/shared/audit.c18
-rw-r--r--src/shared/audit.h2
-rw-r--r--units/systemd-journald-audit.socket1
5 files changed, 32 insertions, 7 deletions
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 803eff24aa..6d4c5c11eb 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1080,14 +1080,15 @@
<para><varname>ConditionSecurity=</varname>
may be used to check whether the given
security module is enabled on the
- system. Currently the recognized values
- values are <varname>selinux</varname>,
+ system. Currently the recognized
+ values values are
+ <varname>selinux</varname>,
<varname>apparmor</varname>,
- <varname>ima</varname> and
- <varname>smack</varname>.
- The test may be negated by prepending
- an exclamation
- mark.</para>
+ <varname>ima</varname>,
+ <varname>smack</varname> and
+ <varname>audit</varname>. The test may
+ be negated by prepending an
+ exclamation mark.</para>
<para><varname>ConditionCapability=</varname>
may be used to check whether the given
diff --git a/src/core/condition.c b/src/core/condition.c
index ec78169fc3..8e2e3118d7 100644
--- a/src/core/condition.c
+++ b/src/core/condition.c
@@ -38,6 +38,7 @@
#include "apparmor-util.h"
#include "ima-util.h"
#include "selinux-util.h"
+#include "audit.h"
static bool condition_test_security(Condition *c) {
assert(c);
@@ -50,6 +51,8 @@ static bool condition_test_security(Condition *c) {
return mac_smack_use() == !c->negate;
if (streq(c->parameter, "apparmor"))
return mac_apparmor_use() == !c->negate;
+ if (streq(c->parameter, "audit"))
+ return use_audit() == !c->negate;
if (streq(c->parameter, "ima"))
return use_ima() == !c->negate;
diff --git a/src/shared/audit.c b/src/shared/audit.c
index f101050825..4701c0a8de 100644
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -80,3 +80,21 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
*uid = (uid_t) u;
return 0;
}
+
+bool use_audit(void) {
+ static int cached_use = -1;
+
+ if (cached_use < 0) {
+ int fd;
+
+ fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
+ if (fd < 0)
+ cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT;
+ else {
+ cached_use = true;
+ safe_close(fd);
+ }
+ }
+
+ return cached_use;
+}
diff --git a/src/shared/audit.h b/src/shared/audit.h
index 0effc0baa0..b4aecffb30 100644
--- a/src/shared/audit.h
+++ b/src/shared/audit.h
@@ -27,3 +27,5 @@
int audit_session_from_pid(pid_t pid, uint32_t *id);
int audit_loginuid_from_pid(pid_t pid, uid_t *uid);
+
+bool use_audit(void);
diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket
index ce849da046..35397aaeb8 100644
--- a/units/systemd-journald-audit.socket
+++ b/units/systemd-journald-audit.socket
@@ -10,6 +10,7 @@ Description=Journal Audit Socket
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Before=sockets.target
+ConditionSecurity=audit
[Socket]
Service=systemd-journald.service