From 7f9e3c5919e533a73f1f25c5ada436a99251a769 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Fri, 19 Dec 2025 01:56:26 +0100
Subject: [PATCH] logs-show: match init.scope rather than _PID=1 for UNIT=

We should consider the whole init.scope trusted, and any
process trying to log on behalf of a unit there should be
attributed as so.

Follow-up for 4f25248b6e69855b4da6d01690821b9359928edc
Only with this commit is the change in effect.
---
 src/shared/logs-show.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index b01cb67acd6..119c48936ab 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -1715,9 +1715,11 @@ int add_matches_for_unit_full(sd_journal *j, MatchUnitFlag flags, const char *un
                 /* Look for messages from the service itself */
                 (r = journal_add_match_pair(j, "_SYSTEMD_UNIT", unit)) ||
 
-                /* Look for messages from PID 1 about this service */
+                /* Look for messages from PID 1 about this service. Note that the actual match is placed
+                 * on init.scope rather than _PID=1, as we want to match messages from helper processes
+                 * forked off by init too. */
                 (r = sd_journal_add_disjunction(j)) ||
-                (r = sd_journal_add_match(j, "_PID=1", SIZE_MAX)) ||
+                (r = sd_journal_add_match(j, "_SYSTEMD_CGROUP=/init.scope", SIZE_MAX)) ||
                 (r = journal_add_match_pair(j, "UNIT", unit)) ||
 
                 /* Look for messages from authorized daemons about this service */
-- 
2.47.3