diff options
| -rw-r--r-- | man/systemd.unit.xml | 15 | ||||
| -rw-r--r-- | src/core/condition.c | 3 | ||||
| -rw-r--r-- | src/shared/audit.c | 18 | ||||
| -rw-r--r-- | src/shared/audit.h | 2 | ||||
| -rw-r--r-- | units/systemd-journald-audit.socket | 1 |
5 files changed, 32 insertions, 7 deletions
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 803eff24aa..6d4c5c11eb 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1080,14 +1080,15 @@ <para><varname>ConditionSecurity=</varname> may be used to check whether the given security module is enabled on the - system. Currently the recognized values - values are <varname>selinux</varname>, + system. Currently the recognized + values values are + <varname>selinux</varname>, <varname>apparmor</varname>, - <varname>ima</varname> and - <varname>smack</varname>. - The test may be negated by prepending - an exclamation - mark.</para> + <varname>ima</varname>, + <varname>smack</varname> and + <varname>audit</varname>. The test may + be negated by prepending an + exclamation mark.</para> <para><varname>ConditionCapability=</varname> may be used to check whether the given diff --git a/src/core/condition.c b/src/core/condition.c index ec78169fc3..8e2e3118d7 100644 --- a/src/core/condition.c +++ b/src/core/condition.c @@ -38,6 +38,7 @@ #include "apparmor-util.h" #include "ima-util.h" #include "selinux-util.h" +#include "audit.h" static bool condition_test_security(Condition *c) { assert(c); @@ -50,6 +51,8 @@ static bool condition_test_security(Condition *c) { return mac_smack_use() == !c->negate; if (streq(c->parameter, "apparmor")) return mac_apparmor_use() == !c->negate; + if (streq(c->parameter, "audit")) + return use_audit() == !c->negate; if (streq(c->parameter, "ima")) return use_ima() == !c->negate; diff --git a/src/shared/audit.c b/src/shared/audit.c index f101050825..4701c0a8de 100644 --- a/src/shared/audit.c +++ b/src/shared/audit.c @@ -80,3 +80,21 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) { *uid = (uid_t) u; return 0; } + +bool use_audit(void) { + static int cached_use = -1; + + if (cached_use < 0) { + int fd; + + fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); + if (fd < 0) + cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT; + else { + cached_use = true; + safe_close(fd); + } + } + + return cached_use; +} diff --git a/src/shared/audit.h b/src/shared/audit.h index 0effc0baa0..b4aecffb30 100644 --- a/src/shared/audit.h +++ b/src/shared/audit.h @@ -27,3 +27,5 @@ int audit_session_from_pid(pid_t pid, uint32_t *id); int audit_loginuid_from_pid(pid_t pid, uid_t *uid); + +bool use_audit(void); diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket index ce849da046..35397aaeb8 100644 --- a/units/systemd-journald-audit.socket +++ b/units/systemd-journald-audit.socket @@ -10,6 +10,7 @@ Description=Journal Audit Socket Documentation=man:systemd-journald.service(8) man:journald.conf(5) DefaultDependencies=no Before=sockets.target +ConditionSecurity=audit [Socket] Service=systemd-journald.service |