From: Daan De Meyer Date: Wed, 7 May 2025 09:15:12 +0000 (+0200) Subject: basic: Move parts of audit-util.{c,h} to libaudit-util.{c,h} in shared/ X-Git-Tag: v258-rc1~656^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c992250c2430110bc97a10216e7be80addcaff22;p=thirdparty%2Fsystemd.git basic: Move parts of audit-util.{c,h} to libaudit-util.{c,h} in shared/ --- diff --git a/src/basic/audit-util.c b/src/basic/audit-util.c index 0d664b0d8b7..9a9f2849ed3 100644 --- a/src/basic/audit-util.c +++ b/src/basic/audit-util.c @@ -1,20 +1,10 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ -#include -#include -#include -#include -#include - #include "alloc-util.h" #include "audit-util.h" -#include "fd-util.h" #include "fileio.h" -#include "iovec-util.h" -#include "macro.h" #include "parse-util.h" #include "process-util.h" -#include "socket-util.h" #include "stat-util.h" #include "user-util.h" #include "virt.h" @@ -94,76 +84,3 @@ int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid) { return parse_uid(s, ret_uid); } - -static int try_audit_request(int fd) { - struct iovec iov; - struct msghdr mh; - ssize_t n; - - assert(fd >= 0); - - struct { - struct nlmsghdr hdr; - struct nlmsgerr err; - } _packed_ msg = { - .hdr.nlmsg_len = NLMSG_LENGTH(0), - .hdr.nlmsg_type = AUDIT_GET_FEATURE, - .hdr.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK, - }; - iov = IOVEC_MAKE(&msg, msg.hdr.nlmsg_len); - mh = (struct msghdr) { - .msg_iov = &iov, - .msg_iovlen = 1, - }; - - if (sendmsg(fd, &mh, MSG_NOSIGNAL) < 0) - return -errno; - - iov.iov_len = sizeof(msg); - - n = recvmsg_safe(fd, &mh, 0); - if (n < 0) - return n; - if (n != NLMSG_LENGTH(sizeof(struct nlmsgerr))) - return -EIO; - - if (msg.hdr.nlmsg_type != NLMSG_ERROR) - return -EINVAL; - - return msg.err.error; -} - -bool use_audit(void) { - static int cached_use = -1; - int r; - - if (cached_use >= 0) - return cached_use; - - _cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); - if (fd < 0) { - cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno); - if (cached_use) - log_debug_errno(errno, "Unexpected error while creating audit socket, proceeding with its use: %m"); - else - log_debug_errno(errno, "Won't talk to audit, because feature or privilege absent: %m"); - } else { - /* If we try and use the audit fd but get -ECONNREFUSED, it is because we are not in the - * initial user namespace, and the kernel does not have support for audit outside of the - * initial user namespace (see - * https://elixir.bootlin.com/linux/latest/C/ident/audit_netlink_ok). - * - * If we receive any other error, do not disable audit because we are not sure that the error - * indicates that audit will not work in general. */ - r = try_audit_request(fd); - if (r < 0) { - cached_use = r != -ECONNREFUSED; - log_debug_errno(r, cached_use ? - "Failed to make request on audit fd, ignoring: %m" : - "Won't talk to audit: %m"); - } else - cached_use = true; - } - - return cached_use; -} diff --git a/src/basic/audit-util.h b/src/basic/audit-util.h index 1ea5610e6d3..98b1b3631a6 100644 --- a/src/basic/audit-util.h +++ b/src/basic/audit-util.h @@ -1,16 +1,9 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once -#if HAVE_AUDIT -# include -#endif - #include #include -#include -#include "errno-util.h" -#include "log.h" #include "pidref.h" #define AUDIT_SESSION_INVALID UINT32_MAX @@ -18,35 +11,6 @@ int audit_session_from_pid(const PidRef *pid, uint32_t *ret_id); int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid); -bool use_audit(void); - static inline bool audit_session_is_valid(uint32_t id) { return id > 0 && id != AUDIT_SESSION_INVALID; } - -/* The wrappers for audit_open() and audit_close() are inline functions so that we don't get a spurious - * linkage to libaudit in libbasic, but we also don't need to create a separate source file for two very - * short functions. */ - -static inline int close_audit_fd(int fd) { -#if HAVE_AUDIT - if (fd >= 0) - audit_close(fd); -#else - assert(fd < 0); -#endif - return -EBADF; -} - -static inline int open_audit_fd_or_warn(void) { - int fd = -EBADF; - -#if HAVE_AUDIT - /* If the kernel lacks netlink or audit support, don't worry about it. */ - fd = audit_open(); - if (fd < 0) - return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, - errno, "Failed to connect to audit log, ignoring: %m"); -#endif - return fd; -} diff --git a/src/core/audit-fd.c b/src/core/audit-fd.c index 87b085c1bfe..b09f3ac49a5 100644 --- a/src/core/audit-fd.c +++ b/src/core/audit-fd.c @@ -7,7 +7,7 @@ #if HAVE_AUDIT # include -# include "audit-util.h" +# include "libaudit-util.h" # include "capability-util.h" static bool initialized = false; diff --git a/src/shared/condition.c b/src/shared/condition.c index 726f9404893..63acf3906c6 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -18,7 +18,6 @@ #include "alloc-util.h" #include "apparmor-util.h" #include "architecture.h" -#include "audit-util.h" #include "battery-util.h" #include "bitfield.h" #include "blockdev-util.h" @@ -44,6 +43,7 @@ #include "id128-util.h" #include "ima-util.h" #include "initrd-util.h" +#include "libaudit-util.h" #include "limits-util.h" #include "list.h" #include "macro.h" diff --git a/src/shared/libaudit-util.c b/src/shared/libaudit-util.c new file mode 100644 index 00000000000..e84684e581e --- /dev/null +++ b/src/shared/libaudit-util.c @@ -0,0 +1,113 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include +#include +#include +#include +#include + +#if HAVE_AUDIT +# include +#endif + +#include "fd-util.h" +#include "iovec-util.h" +#include "libaudit-util.h" +#include "log.h" +#include "socket-util.h" + +static int try_audit_request(int fd) { + struct iovec iov; + struct msghdr mh; + ssize_t n; + + assert(fd >= 0); + + struct { + struct nlmsghdr hdr; + struct nlmsgerr err; + } _packed_ msg = { + .hdr.nlmsg_len = NLMSG_LENGTH(0), + .hdr.nlmsg_type = AUDIT_GET_FEATURE, + .hdr.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK, + }; + iov = IOVEC_MAKE(&msg, msg.hdr.nlmsg_len); + mh = (struct msghdr) { + .msg_iov = &iov, + .msg_iovlen = 1, + }; + + if (sendmsg(fd, &mh, MSG_NOSIGNAL) < 0) + return -errno; + + iov.iov_len = sizeof(msg); + + n = recvmsg_safe(fd, &mh, 0); + if (n < 0) + return n; + if (n != NLMSG_LENGTH(sizeof(struct nlmsgerr))) + return -EIO; + + if (msg.hdr.nlmsg_type != NLMSG_ERROR) + return -EINVAL; + + return msg.err.error; +} + +bool use_audit(void) { + static int cached_use = -1; + int r; + + if (cached_use >= 0) + return cached_use; + + _cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); + if (fd < 0) { + cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno); + if (cached_use) + log_debug_errno(errno, "Unexpected error while creating audit socket, proceeding with its use: %m"); + else + log_debug_errno(errno, "Won't talk to audit, because feature or privilege absent: %m"); + } else { + /* If we try and use the audit fd but get -ECONNREFUSED, it is because we are not in the + * initial user namespace, and the kernel does not have support for audit outside of the + * initial user namespace (see + * https://elixir.bootlin.com/linux/latest/C/ident/audit_netlink_ok). + * + * If we receive any other error, do not disable audit because we are not sure that the error + * indicates that audit will not work in general. */ + r = try_audit_request(fd); + if (r < 0) { + cached_use = r != -ECONNREFUSED; + log_debug_errno(r, cached_use ? + "Failed to make request on audit fd, ignoring: %m" : + "Won't talk to audit: %m"); + } else + cached_use = true; + } + + return cached_use; +} + +int close_audit_fd(int fd) { +#if HAVE_AUDIT + if (fd >= 0) + audit_close(fd); +#else + assert(fd < 0); +#endif + return -EBADF; +} + +int open_audit_fd_or_warn(void) { + int fd = -EBADF; + +#if HAVE_AUDIT + /* If the kernel lacks netlink or audit support, don't worry about it. */ + fd = audit_open(); + if (fd < 0) + return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, + errno, "Failed to connect to audit log, ignoring: %m"); +#endif + return fd; +} diff --git a/src/shared/libaudit-util.h b/src/shared/libaudit-util.h new file mode 100644 index 00000000000..f00d816f78e --- /dev/null +++ b/src/shared/libaudit-util.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +#include + +bool use_audit(void); + +int close_audit_fd(int fd); +int open_audit_fd_or_warn(void); diff --git a/src/shared/meson.build b/src/shared/meson.build index da1deffe4dc..0a514dec7df 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -106,6 +106,7 @@ shared_sources = files( 'killall.c', 'label-util.c', 'libarchive-util.c', + 'libaudit-util.c', 'libcrypt-util.c', 'libfido2-util.c', 'libmount-util.c', @@ -332,6 +333,7 @@ libshared_name = 'systemd-shared-@0@'.format(shared_lib_tag) libshared_deps = [threads, libacl, + libaudit, libblkid, libcap, libcrypt, diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index 3d36b4ff64a..4163994df28 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -2,8 +2,11 @@ #include +#if HAVE_AUDIT +# include +#endif + #include "alloc-util.h" -#include "audit-util.h" #include "build.h" #include "chase.h" #include "conf-files.h" @@ -18,6 +21,7 @@ #include "fs-util.h" #include "hashmap.h" #include "image-policy.h" +#include "libaudit-util.h" #include "libcrypt-util.h" #include "main-func.h" #include "memory-util.h" diff --git a/src/test/test-condition.c b/src/test/test-condition.c index 98418d7ac35..19377962b7a 100644 --- a/src/test/test-condition.c +++ b/src/test/test-condition.c @@ -11,7 +11,6 @@ #include "alloc-util.h" #include "apparmor-util.h" #include "architecture.h" -#include "audit-util.h" #include "battery-util.h" #include "cgroup-util.h" #include "condition.h" @@ -26,6 +25,7 @@ #include "hostname-util.h" #include "id128-util.h" #include "ima-util.h" +#include "libaudit-util.h" #include "limits-util.h" #include "log.h" #include "macro.h" diff --git a/src/update-utmp/update-utmp.c b/src/update-utmp/update-utmp.c index 488c8c18eab..c39ea9b35dd 100644 --- a/src/update-utmp/update-utmp.c +++ b/src/update-utmp/update-utmp.c @@ -5,14 +5,18 @@ #include #include +#if HAVE_AUDIT +# include +#endif + #include "sd-bus.h" #include "alloc-util.h" -#include "audit-util.h" #include "bus-error.h" #include "bus-locator.h" #include "bus-util.h" #include "format-util.h" +#include "libaudit-util.h" #include "log.h" #include "macro.h" #include "main-func.h"