project-lakitu/sys-apps/systemd/files/225-audit-set-pid.patch - cos/overlays/board-overlays - Git at Google

 commit a355bea478bd9171ddb902cc1ad0af1468662501
 Author: Andrey Ulanov <andreyu@google.com>
 Date:   Thu Feb 23 17:41:37 2017 -0800

     journald: When enabling audit also set audit PID.

     When audit PID is set kernel will not log audit messages to dmesg
     as long as that process is running.
     When the PID is set we no longer need to receive the same messages via
     multicast.

 diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
 index a433c91c5..27740731b 100644
 --- a/src/journal/journald-audit.c
 +++ b/src/journal/journald-audit.c
 @@ -449,6 +449,14 @@ void server_process_audit_message(
                  return;
          }

 +        /* Even though we did not join multicast group the kernel may
 +         * still send us messages addressed to the group. This leads
 +         * to messages being duplicated twice. So here we ignore multicast messages. */
 +        if (sa->nl.nl_groups) {
 +                log_debug("Audit netlink message via multicast group.");
 +                return;
 +        }
 +
          if (!ucred || ucred->pid != 0) {
                  log_debug("Audit netlink message with invalid credentials.");
                  return;
 @@ -470,7 +478,7 @@ void server_process_audit_message(
          process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
  }

 -static int enable_audit(int fd, bool b) {
 +static int audit_set_status(int fd, struct audit_status *status) {
          struct {
                  union {
                          struct nlmsghdr header;
 @@ -483,12 +491,12 @@ static int enable_audit(int fd, bool b) {
                  .header.nlmsg_flags = NLM_F_REQUEST,
                  .header.nlmsg_seq = 1,
                  .header.nlmsg_pid = 0,
 -                .body.mask = AUDIT_STATUS_ENABLED,
 -                .body.enabled = b,
 +                .body = *status
          };
          union sockaddr_union sa = {
                  .nl.nl_family = AF_NETLINK,
                  .nl.nl_pid = 0,
 +                .nl.nl_groups = 0,
          };
          struct iovec iovec = {
                  .iov_base = &request,
 @@ -515,17 +523,27 @@ static int enable_audit(int fd, bool b) {
          return 0;
  }

 +static int enable_audit(int fd, bool b) {
 +        struct audit_status status = {
 +                .mask = AUDIT_STATUS_ENABLED,
 +                .enabled = b,
 +        };
 +        return audit_set_status(fd, &status);
 +}
 +
 +static int set_audit_pid(int fd, pid_t pid) {
 +        struct audit_status status = {
 +                .mask = AUDIT_STATUS_PID,
 +                .pid = pid,
 +        };
 +        return audit_set_status(fd, &status);
 +}
 +
  int server_open_audit(Server *s) {
          static const int one = 1;
          int r;

          if (s->audit_fd < 0) {
 -                static const union sockaddr_union sa = {
 -                        .nl.nl_family = AF_NETLINK,
 -                        .nl.nl_pid    = 0,
 -                        .nl.nl_groups = AUDIT_NLGRP_READLOG,
 -                };
 -
                  s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
                  if (s->audit_fd < 0) {
                          if (errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT)
 @@ -535,15 +553,6 @@ int server_open_audit(Server *s) {

                          return 0;
                  }
 -
 -                if (bind(s->audit_fd, &sa.sa, sizeof(sa.nl)) < 0) {
 -                        log_warning_errno(errno,
 -                                          "Failed to join audit multicast group. "
 -                                          "The kernel is probably too old or multicast reading is not supported. "
 -                                          "Ignoring: %m");
 -                        s->audit_fd = safe_close(s->audit_fd);
 -                        return 0;
 -                }
          } else
                  fd_nonblock(s->audit_fd, 1);

 @@ -560,5 +569,9 @@ int server_open_audit(Server *s) {
          if (r < 0)
                  log_warning_errno(r, "Failed to issue audit enable call: %m");

 +        r = set_audit_pid(s->audit_fd, getpid());
 +        if (r < 0)
 +                log_warning_errno(r, "Failed to issue set audit pid: %m");
 +
          return 0;
  }
	commit a355bea478bd9171ddb902cc1ad0af1468662501
	Author: Andrey Ulanov <andreyu@google.com>
	Date: Thu Feb 23 17:41:37 2017 -0800

	journald: When enabling audit also set audit PID.

	When audit PID is set kernel will not log audit messages to dmesg
	as long as that process is running.
	When the PID is set we no longer need to receive the same messages via
	multicast.

	diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
	index a433c91c5..27740731b 100644
	--- a/src/journal/journald-audit.c
	+++ b/src/journal/journald-audit.c
	@@ -449,6 +449,14 @@ void server_process_audit_message(
	return;
	}

	+ /* Even though we did not join multicast group the kernel may
	+ * still send us messages addressed to the group. This leads
	+ * to messages being duplicated twice. So here we ignore multicast messages. */
	+ if (sa->nl.nl_groups) {
	+ log_debug("Audit netlink message via multicast group.");
	+ return;
	+ }
	+
	if (!ucred \|\| ucred->pid != 0) {
	log_debug("Audit netlink message with invalid credentials.");
	return;
	@@ -470,7 +478,7 @@ void server_process_audit_message(
	process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
	}

	-static int enable_audit(int fd, bool b) {
	+static int audit_set_status(int fd, struct audit_status *status) {
	struct {
	union {
	struct nlmsghdr header;
	@@ -483,12 +491,12 @@ static int enable_audit(int fd, bool b) {
	.header.nlmsg_flags = NLM_F_REQUEST,
	.header.nlmsg_seq = 1,
	.header.nlmsg_pid = 0,
	- .body.mask = AUDIT_STATUS_ENABLED,
	- .body.enabled = b,
	+ .body = *status
	};
	union sockaddr_union sa = {
	.nl.nl_family = AF_NETLINK,
	.nl.nl_pid = 0,
	+ .nl.nl_groups = 0,
	};
	struct iovec iovec = {
	.iov_base = &request,
	@@ -515,17 +523,27 @@ static int enable_audit(int fd, bool b) {
	return 0;
	}

	+static int enable_audit(int fd, bool b) {
	+ struct audit_status status = {
	+ .mask = AUDIT_STATUS_ENABLED,
	+ .enabled = b,
	+ };
	+ return audit_set_status(fd, &status);
	+}
	+
	+static int set_audit_pid(int fd, pid_t pid) {
	+ struct audit_status status = {
	+ .mask = AUDIT_STATUS_PID,
	+ .pid = pid,
	+ };
	+ return audit_set_status(fd, &status);
	+}
	+
	int server_open_audit(Server *s) {
	static const int one = 1;
	int r;

	if (s->audit_fd < 0) {
	- static const union sockaddr_union sa = {
	- .nl.nl_family = AF_NETLINK,
	- .nl.nl_pid = 0,
	- .nl.nl_groups = AUDIT_NLGRP_READLOG,
	- };
	-
	s->audit_fd = socket(AF_NETLINK, SOCK_RAW\|SOCK_CLOEXEC\|SOCK_NONBLOCK, NETLINK_AUDIT);
	if (s->audit_fd < 0) {
	if (errno == EAFNOSUPPORT \|\| errno == EPROTONOSUPPORT)
	@@ -535,15 +553,6 @@ int server_open_audit(Server *s) {

	return 0;
	}
	-
	- if (bind(s->audit_fd, &sa.sa, sizeof(sa.nl)) < 0) {
	- log_warning_errno(errno,
	- "Failed to join audit multicast group. "
	- "The kernel is probably too old or multicast reading is not supported. "
	- "Ignoring: %m");
	- s->audit_fd = safe_close(s->audit_fd);
	- return 0;
	- }
	} else
	fd_nonblock(s->audit_fd, 1);

	@@ -560,5 +569,9 @@ int server_open_audit(Server *s) {
	if (r < 0)
	log_warning_errno(r, "Failed to issue audit enable call: %m");

	+ r = set_audit_pid(s->audit_fd, getpid());
	+ if (r < 0)
	+ log_warning_errno(r, "Failed to issue set audit pid: %m");
	+
	return 0;
	}