]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 24c4729)
sd-journal: allow to read sealed journal files when sealing is not supported
authorYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 27 Jun 2026 06:04:24 +0000 (15:04 +0900)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 27 Jun 2026 15:00:11 +0000 (00:00 +0900)
src/libsystemd/sd-journal/journal-authenticate-internal.c patch | blob | blame | history
src/libsystemd/sd-journal/journal-authenticate-internal.h patch | blob | blame | history
src/libsystemd/sd-journal/journal-def.h patch | blob | blame | history
src/libsystemd/sd-journal/journal-file.c patch | blob | blame | history

diff --git a/src/libsystemd/sd-journal/journal-authenticate-internal.c b/src/libsystemd/sd-journal/journal-authenticate-internal.c
index 7c23b4f0ce682cda32543921d4cde173b8dee6dc..acb4c221bc44b6278e1a1572a2b491ae74f0a371 100644 (file)
--- a/src/libsystemd/sd-journal/journal-authenticate-internal.c
+++ b/src/libsystemd/sd-journal/journal-authenticate-internal.c
@@ -12,6 +12,10 @@ void journal_auth_set_ops(const JournalAuthOps *ops) {
         auth_ops = ops;
 }
 
+bool journal_auth_supported(void) {
+        return !!auth_ops;
+}
+
 void journal_file_auth_done(JournalFile *f) {
         assert(f);
 
diff --git a/src/libsystemd/sd-journal/journal-authenticate-internal.h b/src/libsystemd/sd-journal/journal-authenticate-internal.h
index 0c5e559370eb6f0f27b478677f1fb7e5e4ae6c3f..5d5d94be2028e76fba3cfd8c152fa44b8c81d335 100644 (file)
--- a/src/libsystemd/sd-journal/journal-authenticate-internal.h
+++ b/src/libsystemd/sd-journal/journal-authenticate-internal.h
@@ -21,6 +21,7 @@ typedef struct JournalAuthOps {
 } JournalAuthOps;
 
 void journal_auth_set_ops(const JournalAuthOps *ops);
+bool journal_auth_supported(void);
 
 void journal_file_auth_done(JournalFile *f);
 int journal_file_auth_load(JournalFile *f);
diff --git a/src/libsystemd/sd-journal/journal-def.h b/src/libsystemd/sd-journal/journal-def.h
index 9dd3d25dc453d0bae992657a8000310bc083aa08..a48554cee1d71f1fd52b619341923aa923ca068c 100644 (file)
--- a/src/libsystemd/sd-journal/journal-def.h
+++ b/src/libsystemd/sd-journal/journal-def.h
@@ -210,7 +210,8 @@ enum {
                                                HEADER_COMPATIBLE_TAIL_ENTRY_BOOT_ID |
                                                HEADER_COMPATIBLE_SEALED_CONTINUOUS,
 
-        HEADER_COMPATIBLE_SUPPORTED          = (HAVE_GCRYPT ? HEADER_COMPATIBLE_SEALED | HEADER_COMPATIBLE_SEALED_CONTINUOUS : 0) |
+        HEADER_COMPATIBLE_SUPPORTED          = HEADER_COMPATIBLE_SEALED |
+                                               HEADER_COMPATIBLE_SEALED_CONTINUOUS |
                                                HEADER_COMPATIBLE_TAIL_ENTRY_BOOT_ID,
 };
 
diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
index 2a4e71b776485e02020dd174abd2751c1d16d721..41e06086d209e8dfdeddcdfcd93fe61e7f44a720 100644 (file)
--- a/src/libsystemd/sd-journal/journal-file.c
+++ b/src/libsystemd/sd-journal/journal-file.c
@@ -457,14 +457,19 @@ static int journal_file_refresh_header(JournalFile *f) {
 }
 
 static bool warn_wrong_flags(const JournalFile *f, bool compatible) {
-        const uint32_t any = compatible ? HEADER_COMPATIBLE_ANY : HEADER_INCOMPATIBLE_ANY,
-                supported = compatible ? HEADER_COMPATIBLE_SUPPORTED : HEADER_INCOMPATIBLE_SUPPORTED;
+        const uint32_t any = compatible ? HEADER_COMPATIBLE_ANY : HEADER_INCOMPATIBLE_ANY;
+        uint32_t supported = compatible ? HEADER_COMPATIBLE_SUPPORTED : HEADER_INCOMPATIBLE_SUPPORTED;
         const char *type = compatible ? "compatible" : "incompatible";
         uint32_t flags;
 
         assert(f);
         assert(f->header);
 
+        /* When sealing is not supported, refuse to write to an already sealed journal file, but still allow
+         * reading sealed journal files. */
+        if (compatible && journal_file_writable(f) && !journal_auth_supported())
+                supported &= ~(HEADER_COMPATIBLE_SEALED | HEADER_COMPATIBLE_SEALED_CONTINUOUS);
+
         flags = le32toh(compatible ? f->header->compatible_flags : f->header->incompatible_flags);
 
         if (flags & ~supported) {
Unnamed repository; edit this file 'description' to name the repository.