From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 30 Jun 2023 13:31:41 +0000 (+0200)
Subject: unit: don't encode literally which unit types to generate audit events for
X-Git-Tag: v254-rc1~62^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d52b8493c28b72540779896ae5bfed75f9b6f90b;p=thirdparty%2Fsystemd.git

unit: don't encode literally which unit types to generate audit events for

Let's abstract this a bit, and keep this info purely in UnitVTable.
---

diff --git a/src/core/manager.c b/src/core/manager.c
index 8a081d00567..21d2e092fa1 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3350,23 +3350,20 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
         if (MANAGER_IS_RELOADING(m))
                 return;
 
-        if (u->type != UNIT_SERVICE)
-                return;
-
         r = unit_name_to_prefix_and_instance(u->id, &p);
         if (r < 0) {
-                log_error_errno(r, "Failed to extract prefix and instance of unit name: %m");
+                log_warning_errno(r, "Failed to extract prefix and instance of unit name, ignoring: %m");
                 return;
         }
 
         msg = strjoina("unit=", p);
         if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
-                if (errno == EPERM)
-                        /* We aren't allowed to send audit messages?
-                         * Then let's not retry again. */
+                if (ERRNO_IS_PRIVILEGE(errno)) {
+                        /* We aren't allowed to send audit messages?  Then let's not retry again. */
+                        log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m");
                         close_audit_fd();
-                else
-                        log_warning_errno(errno, "Failed to send audit message: %m");
+                } else
+                        log_warning_errno(errno, "Failed to send audit message, ignoring: %m");
         }
 #endif
 
diff --git a/src/core/service.c b/src/core/service.c
index 146b892e460..3f27e28a7d7 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -28,6 +28,7 @@
 #include "load-fragment.h"
 #include "log.h"
 #include "manager.h"
+#include "missing_audit.h"
 #include "open-file.h"
 #include "parse-util.h"
 #include "path-util.h"
@@ -5166,4 +5167,7 @@ const UnitVTable service_vtable = {
         },
 
         .can_start = service_can_start,
+
+        .audit_start_message_type = AUDIT_SERVICE_START,
+        .audit_stop_message_type = AUDIT_SERVICE_STOP,
 };
diff --git a/src/core/unit.c b/src/core/unit.c
index 81467093e75..6e0702a8742 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -39,7 +39,6 @@
 #include "log.h"
 #include "logarithm.h"
 #include "macro.h"
-#include "missing_audit.h"
 #include "mkdir-label.h"
 #include "path-util.h"
 #include "process-util.h"
@@ -2585,30 +2584,30 @@ static void unit_update_on_console(Unit *u) {
 static void unit_emit_audit_start(Unit *u) {
         assert(u);
 
-        if (u->type != UNIT_SERVICE)
+        if (UNIT_VTABLE(u)->audit_start_message_type <= 0)
                 return;
 
         /* Write audit record if we have just finished starting up */
-        manager_send_unit_audit(u->manager, u, AUDIT_SERVICE_START, true);
+        manager_send_unit_audit(u->manager, u, UNIT_VTABLE(u)->audit_start_message_type, /* success= */ true);
         u->in_audit = true;
 }
 
 static void unit_emit_audit_stop(Unit *u, UnitActiveState state) {
         assert(u);
 
-        if (u->type != UNIT_SERVICE)
+        if (UNIT_VTABLE(u)->audit_start_message_type <= 0)
                 return;
 
         if (u->in_audit) {
                 /* Write audit record if we have just finished shutting down */
-                manager_send_unit_audit(u->manager, u, AUDIT_SERVICE_STOP, state == UNIT_INACTIVE);
+                manager_send_unit_audit(u->manager, u, UNIT_VTABLE(u)->audit_stop_message_type, /* success= */ state == UNIT_INACTIVE);
                 u->in_audit = false;
         } else {
                 /* Hmm, if there was no start record written write it now, so that we always have a nice pair */
-                manager_send_unit_audit(u->manager, u, AUDIT_SERVICE_START, state == UNIT_INACTIVE);
+                manager_send_unit_audit(u->manager, u, UNIT_VTABLE(u)->audit_start_message_type, /* success= */ state == UNIT_INACTIVE);
 
                 if (state == UNIT_INACTIVE)
-                        manager_send_unit_audit(u->manager, u, AUDIT_SERVICE_STOP, true);
+                        manager_send_unit_audit(u->manager, u, UNIT_VTABLE(u)->audit_stop_message_type, /* success= */ true);
         }
 }
 
diff --git a/src/core/unit.h b/src/core/unit.h
index 3f1f58d6000..20b00799b74 100644
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -782,6 +782,10 @@ typedef struct UnitVTable {
 
         /* True if systemd-oomd can monitor and act on this unit's recursive children's cgroups  */
         bool can_set_managed_oom;
+
+        /* The audit events to generate on start + stop (or 0 if none shall be generated) */
+        int audit_start_message_type;
+        int audit_stop_message_type;
 } UnitVTable;
 
 extern const UnitVTable * const unit_vtable[_UNIT_TYPE_MAX];