| commit a355bea478bd9171ddb902cc1ad0af1468662501 |
| Author: Andrey Ulanov <andreyu@google.com> |
| Date: Thu Feb 23 17:41:37 2017 -0800 |
| |
| journald: When enabling audit also set audit PID. |
| |
| When audit PID is set kernel will not log audit messages to dmesg |
| as long as that process is running. |
| When the PID is set we no longer need to receive the same messages via |
| multicast. |
| |
| diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c |
| index a433c91c5..27740731b 100644 |
| --- a/src/journal/journald-audit.c |
| +++ b/src/journal/journald-audit.c |
| @@ -1,6 +1,7 @@ |
| /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| |
| #include <malloc.h> |
| +#include <unistd.h> |
| |
| #include "alloc-util.h" |
| #include "audit-type.h" |
| @@ -446,6 +447,14 @@ void server_process_audit_message( |
| return; |
| } |
| |
| + /* Even though we did not join multicast group the kernel may |
| + * still send us messages addressed to the group. This leads |
| + * to messages being duplicated twice. So here we ignore multicast messages. */ |
| + if (sa->nl.nl_groups) { |
| + log_debug("Audit netlink message via multicast group."); |
| + return; |
| + } |
| + |
| if (!ucred || ucred->pid != 0) { |
| log_debug("Audit netlink message with invalid credentials."); |
| return; |
| @@ -467,7 +476,7 @@ void server_process_audit_message( |
| process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr))); |
| } |
| |
| -static int enable_audit(int fd, bool b) { |
| +static int audit_set_status(int fd, struct audit_status *status) { |
| struct { |
| union { |
| struct nlmsghdr header; |
| @@ -480,12 +489,12 @@ static int enable_audit(int fd, bool b) { |
| .header.nlmsg_flags = NLM_F_REQUEST, |
| .header.nlmsg_seq = 1, |
| .header.nlmsg_pid = 0, |
| - .body.mask = AUDIT_STATUS_ENABLED, |
| - .body.enabled = b, |
| + .body = *status |
| }; |
| union sockaddr_union sa = { |
| .nl.nl_family = AF_NETLINK, |
| .nl.nl_pid = 0, |
| + .nl.nl_groups = 0 |
| }; |
| struct iovec iovec = { |
| .iov_base = &request, |
| @@ -512,15 +521,27 @@ static int enable_audit(int fd, bool b) { |
| return 0; |
| } |
| |
| +static int enable_audit(int fd, bool b) { |
| + struct audit_status status = { |
| + .mask = AUDIT_STATUS_ENABLED, |
| + .enabled = b, |
| + }; |
| + return audit_set_status(fd, &status); |
| +} |
| + |
| +static int set_audit_pid(int fd, pid_t pid) { |
| + struct audit_status status = { |
| + .mask = AUDIT_STATUS_PID, |
| + .pid = pid, |
| + }; |
| + return audit_set_status(fd, &status); |
| +} |
| + |
| + |
| int server_open_audit(Server *s) { |
| int r; |
| |
| if (s->audit_fd < 0) { |
| - static const union sockaddr_union sa = { |
| - .nl.nl_family = AF_NETLINK, |
| - .nl.nl_pid = 0, |
| - .nl.nl_groups = AUDIT_NLGRP_READLOG, |
| - }; |
| |
| s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); |
| if (s->audit_fd < 0) { |
| @@ -532,14 +553,6 @@ int server_open_audit(Server *s) { |
| return 0; |
| } |
| |
| - if (bind(s->audit_fd, &sa.sa, sizeof(sa.nl)) < 0) { |
| - log_warning_errno(errno, |
| - "Failed to join audit multicast group. " |
| - "The kernel is probably too old or multicast reading is not supported. " |
| - "Ignoring: %m"); |
| - s->audit_fd = safe_close(s->audit_fd); |
| - return 0; |
| - } |
| } else |
| (void) fd_nonblock(s->audit_fd, true); |
| |
| @@ -560,6 +573,10 @@ int server_open_audit(Server *s) { |
| log_debug("Auditing in kernel turned on."); |
| else |
| log_debug("Auditing in kernel turned off."); |
| + r = set_audit_pid(s->audit_fd, getpid()); |
| + if (r < 0) |
| + log_warning_errno(r, "Failed to issue set audit pid: %m"); |
| + |
| } |
| |
| return 0; |