From 4d9ced9956755901238fede6fc5a3d7e4e816aa6 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 4 Nov 2014 00:01:32 +0100 Subject: journald: enable audit in the kernel when initializing Similar to auditd actually turn on auditing as we are starting. This way we can operate entirely without auditd around. --- src/journal/journald-audit.c | 50 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c index 787ec34bb8..0e1e8bd5d0 100644 --- a/src/journal/journald-audit.c +++ b/src/journal/journald-audit.c @@ -438,6 +438,51 @@ void server_process_audit_message( process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)), tv); } +static int enable_audit(int fd, bool b) { + struct { + union { + struct nlmsghdr header; + uint8_t header_space[NLMSG_HDRLEN]; + }; + struct audit_status body; + } _packed_ request = { + .header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)), + .header.nlmsg_type = AUDIT_SET, + .header.nlmsg_flags = NLM_F_REQUEST, + .header.nlmsg_seq = 1, + .header.nlmsg_pid = 0, + .body.mask = AUDIT_STATUS_ENABLED, + .body.enabled = b, + }; + union sockaddr_union sa = { + .nl.nl_family = AF_NETLINK, + .nl.nl_pid = 0, + }; + struct iovec iovec = { + .iov_base = &request, + .iov_len = NLMSG_LENGTH(sizeof(struct audit_status)), + }; + struct msghdr mh = { + .msg_iov = &iovec, + .msg_iovlen = 1, + .msg_name = &sa.sa, + .msg_namelen = sizeof(sa.nl), + }; + + ssize_t n; + + n = sendmsg(fd, &mh, MSG_NOSIGNAL); + if (n < 0) + return -errno; + if (n != NLMSG_LENGTH(sizeof(struct audit_status))) + return -EIO; + + /* We don't wait for the result here, we can't do anything + * about it anyway */ + + return 0; +} + int server_open_audit(Server *s) { static const int one = 1; int r; @@ -479,5 +524,10 @@ int server_open_audit(Server *s) { return r; } + /* We are listening now, try to enable audit */ + r = enable_audit(s->audit_fd, true); + if (r < 0) + log_warning("Failed to issue audit enable call: %s", strerror(-r)); + return 0; } -- cgit v1.2.3-54-g00ecf