From: Lennart Poettering Date: Mon, 8 Sep 2025 10:26:35 +0000 (+0200) Subject: build: make libaudit dep dlopen() X-Git-Tag: v259-rc1~491^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d8c5c657ae0829f93944a00302e7ce700913e54;p=thirdparty%2Fsystemd.git build: make libaudit dep dlopen() --- diff --git a/meson.build b/meson.build index 52850311b55..68b2df7b495 100644 --- a/meson.build +++ b/meson.build @@ -1187,6 +1187,7 @@ conf.set10('HAVE_ACL', libacl.found()) libaudit = dependency('audit', required : get_option('audit')) conf.set10('HAVE_AUDIT', libaudit.found()) +libaudit_cflags = libaudit.partial_dependency(includes: true, compile_args: true) libblkid = dependency('blkid', required : get_option('blkid')) diff --git a/src/core/manager.c b/src/core/manager.c index 2529a7c3f10..103bdb9ae48 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -3417,7 +3417,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) { } msg = strjoina("unit=", p); - if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) { + if (sym_audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) { if (ERRNO_IS_PRIVILEGE(errno)) { /* We aren't allowed to send audit messages? Then let's not retry again. */ log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m"); diff --git a/src/core/meson.build b/src/core/meson.build index 8bb0054c146..16c5df0c45e 100644 --- a/src/core/meson.build +++ b/src/core/meson.build @@ -132,7 +132,7 @@ libcore_static = static_library( implicit_include_directories : false, c_args : ['-fvisibility=default'], dependencies : [libacl, - libaudit, + libaudit_cflags, libblkid, libdl, libm, diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 8ccc31630d6..ad1d2f30803 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -121,9 +121,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { if (r >= 0) { if (type == SELINUX_AVC) - audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid()); + sym_audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid()); else if (type == SELINUX_ERROR) - audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid()); + sym_audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid()); return 0; } diff --git a/src/shared/libaudit-util.c b/src/shared/libaudit-util.c index 617b69bfaff..bacdb641dd4 100644 --- a/src/shared/libaudit-util.c +++ b/src/shared/libaudit-util.c @@ -11,6 +11,33 @@ #include "log.h" #include "socket-util.h" +#if HAVE_AUDIT +static void *libaudit_dl = NULL; + +static DLSYM_PROTOTYPE(audit_close) = NULL; +DLSYM_PROTOTYPE(audit_log_acct_message) = NULL; +DLSYM_PROTOTYPE(audit_log_user_avc_message) = NULL; +DLSYM_PROTOTYPE(audit_log_user_comm_message) = NULL; +static DLSYM_PROTOTYPE(audit_open) = NULL; + +int dlopen_libaudit(void) { + ELF_NOTE_DLOPEN("libaudit", + "Support for Audit loggging", + ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED, + "libaudit.so.1"); + + return dlopen_many_sym_or_warn( + &libaudit_dl, + "libaudit.so.1", + LOG_DEBUG, + DLSYM_ARG(audit_close), + DLSYM_ARG(audit_log_acct_message), + DLSYM_ARG(audit_log_user_avc_message), + DLSYM_ARG(audit_log_user_comm_message), + DLSYM_ARG(audit_open)); +} +#endif + static int try_audit_request(int fd) { struct iovec iov; struct msghdr mh; @@ -56,6 +83,9 @@ bool use_audit(void) { if (cached_use >= 0) return cached_use; + if (dlopen_libaudit() < 0) + return (cached_use = false); + _cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); if (fd < 0) { cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno); @@ -87,7 +117,7 @@ bool use_audit(void) { int close_audit_fd(int fd) { #if HAVE_AUDIT if (fd >= 0) - audit_close(fd); + sym_audit_close(fd); #else assert(fd < 0); #endif @@ -96,8 +126,14 @@ int close_audit_fd(int fd) { int open_audit_fd_or_warn(void) { #if HAVE_AUDIT + int r; + + r = dlopen_libaudit(); + if (r < 0) + return r; + /* If the kernel lacks netlink or audit support, don't worry about it. */ - int fd = audit_open(); + int fd = sym_audit_open(); if (fd < 0) return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno, "Failed to connect to audit log, ignoring: %m"); diff --git a/src/shared/libaudit-util.h b/src/shared/libaudit-util.h index bd91a1cb938..b4e7a56c509 100644 --- a/src/shared/libaudit-util.h +++ b/src/shared/libaudit-util.h @@ -1,11 +1,19 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once +#include "forward.h" + #if HAVE_AUDIT # include /* IWYU pragma: export */ -#endif -#include "forward.h" +# include "dlfcn-util.h" + +extern DLSYM_PROTOTYPE(audit_log_acct_message); +extern DLSYM_PROTOTYPE(audit_log_user_avc_message); +extern DLSYM_PROTOTYPE(audit_log_user_comm_message); + +int dlopen_libaudit(void); +#endif bool use_audit(void); diff --git a/src/shared/meson.build b/src/shared/meson.build index 134e5ad2b60..f341c79df80 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -312,7 +312,7 @@ libshared_name = 'systemd-shared-@0@'.format(shared_lib_tag) libshared_deps = [threads, libacl, - libaudit, + libaudit_cflags, libblkid, libcap, libcrypt, diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build index e2e82889e77..f286ce8a20f 100644 --- a/src/sysusers/meson.build +++ b/src/sysusers/meson.build @@ -9,7 +9,7 @@ executables += [ 'name' : 'systemd-sysusers', 'public' : true, 'sources' : files('sysusers.c'), - 'dependencies' : libaudit, + 'dependencies' : libaudit_cflags, }, executable_template + { 'name' : 'systemd-sysusers.standalone', @@ -22,6 +22,6 @@ executables += [ libshared_static, libsystemd_static, ], - 'dependencies' : libaudit, + 'dependencies' : libaudit_cflags, }, ] diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index d5a236703af..9d46fbc5e53 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -202,7 +202,7 @@ static void log_audit_accounts(Context *c, ItemType what) { */ ORDERED_HASHMAP_FOREACH(i, what == ADD_USER ? c->todo_uids : c->todo_gids) - audit_log_acct_message( + sym_audit_log_acct_message( c->audit_fd, type, program_invocation_short_name, diff --git a/src/test/test-dlopen-so.c b/src/test/test-dlopen-so.c index 870b2a67f89..ede99123629 100644 --- a/src/test/test-dlopen-so.c +++ b/src/test/test-dlopen-so.c @@ -8,6 +8,7 @@ #include "gcrypt-util.h" #include "idn-util.h" #include "libarchive-util.h" +#include "libaudit-util.h" #include "libfido2-util.h" #include "main-func.h" #include "module-util.h" @@ -48,6 +49,7 @@ static int run(int argc, char **argv) { ASSERT_DLOPEN(dlopen_gcrypt, HAVE_GCRYPT); ASSERT_DLOPEN(dlopen_libkmod, HAVE_KMOD); ASSERT_DLOPEN(dlopen_libapparmor, HAVE_APPARMOR); + ASSERT_DLOPEN(dlopen_libaudit, HAVE_AUDIT); return 0; } diff --git a/src/update-utmp/meson.build b/src/update-utmp/meson.build index 1db44451551..f00a030a259 100644 --- a/src/update-utmp/meson.build +++ b/src/update-utmp/meson.build @@ -5,6 +5,6 @@ executables += [ 'name' : 'systemd-update-utmp', 'conditions' : ['ENABLE_UTMP'], 'sources' : files('update-utmp.c'), - 'dependencies' : libaudit, + 'dependencies' : libaudit_cflags, }, ] diff --git a/src/update-utmp/update-utmp.c b/src/update-utmp/update-utmp.c index a9fe4855522..5a999806bd5 100644 --- a/src/update-utmp/update-utmp.c +++ b/src/update-utmp/update-utmp.c @@ -60,7 +60,7 @@ static int on_reboot(int argc, char *argv[], void *userdata) { #if HAVE_AUDIT if (c->audit_fd >= 0) - if (audit_log_user_comm_message(c->audit_fd, AUDIT_SYSTEM_BOOT, "", "systemd-update-utmp", NULL, NULL, NULL, 1) < 0 && + if (sym_audit_log_user_comm_message(c->audit_fd, AUDIT_SYSTEM_BOOT, "", "systemd-update-utmp", NULL, NULL, NULL, 1) < 0 && errno != EPERM) q = log_error_errno(errno, "Failed to send audit message: %m"); #endif @@ -89,7 +89,7 @@ static int on_shutdown(int argc, char *argv[], void *userdata) { Context *c = ASSERT_PTR(userdata); if (c->audit_fd >= 0) - if (audit_log_user_comm_message(c->audit_fd, AUDIT_SYSTEM_SHUTDOWN, "", "systemd-update-utmp", NULL, NULL, NULL, 1) < 0 && + if (sym_audit_log_user_comm_message(c->audit_fd, AUDIT_SYSTEM_SHUTDOWN, "", "systemd-update-utmp", NULL, NULL, NULL, 1) < 0 && errno != EPERM) q = log_error_errno(errno, "Failed to send audit message: %m"); #endif