In systemd <= 257, each set_audit tristate value had special meaning,
- true: enable the kernel audit subsystem,
- false: disable the kernel audit subsystem,
- negative: keep the current kernel audit subsystem state.
And the default is true, rather than negative. So, users sometimes
explicitly pass an empty string to Audit= setting to keep the state.
But since
f48cf2a96dfdc23fe30ba0f870125fe55cab64c7 (v258), the negative
value is mistakenly used as 'really unspecified' even if an empty string
is explicitly specified.
This makes negative values handled as unspecified as usual, and assign a new
positive value AUDIT_KEEP for when an empty string is explicitly specified.
Also, make the Audit= setting accept "keep" setting, and suggest to use "keep"
rather than an empty string.
Fixes a regression caused by
f48cf2a96dfdc23fe30ba0f870125fe55cab64c7 (v258).
Fixes #39057.
<varlistentry>
<term><varname>Audit=</varname></term>
- <listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on
- kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
- disable it, leaving the previous state unchanged. This means if another tool turns on auditing even
- if <command>systemd-journald</command> left it off, it will still collect the generated
- messages. Defaults to on in the default journal namespace, and unset otherwise.</para>
+ <listitem><para>Takes a boolean value or special value <literal>keep</literal>. If enabled
+ <command>systemd-journald</command> will turn on kernel auditing on start-up. If disabled it will
+ turn it off. When <literal>keep</literal> it will neither enable nor disable it, leaving the previous
+ state unchanged. This means if another tool turns on auditing even if
+ <command>systemd-journald</command> left it off, it will still collect the generated messages.
+ Defaults to yes in the default journal namespace, and <literal>keep</literal> otherwise.</para>
+
+ <!-- Explicit assignment of an empty string is equivalent to 'keep', for backward compatibility. -->
<para>Note that this option does not control whether <command>systemd-journald</command> collects
generated audit records, it just controls whether it tells the kernel to generate them. If you need
assert(m);
assert(m->audit_fd >= 0);
+ assert(m->config.set_audit >= 0);
- if (m->config.set_audit < 0)
+ if (m->config.set_audit == AUDIT_KEEP)
return 0;
+ /* In the following, we can handle 'set_audit' as a boolean. */
+ assert(IN_SET(m->config.set_audit, AUDIT_NO, AUDIT_YES));
+
struct {
union {
struct nlmsghdr header;
return 0;
}
-void manager_reset_kernel_audit(Manager *m, int old_set_audit) {
+void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit) {
assert(m);
if (m->audit_fd < 0)
void process_audit_string(Manager *m, int type, const char *data, size_t size);
int manager_open_audit(Manager *m);
-void manager_reset_kernel_audit(Manager *m, int old_set_audit);
+void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit);
.compress.threshold_bytes = UINT64_MAX,
.seal = -1,
.read_kmsg = -1,
- .set_audit = -1,
+ .set_audit = _AUDIT_SET_MODE_INVALID,
.ratelimit_interval = DEFAULT_RATE_LIMIT_INTERVAL,
.ratelimit_burst = DEFAULT_RATE_LIMIT_BURST,
.forward_to_syslog = -1,
MERGE_NON_NEGATIVE(read_kmsg, !m->namespace);
/* By default, kernel auditing is enabled by the main namespace instance, and not controlled by
* non-default namespace instances. */
- MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true);
+ MERGE_NON_NEGATIVE(set_audit, m->namespace ? AUDIT_KEEP : AUDIT_YES);
MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC);
/* TODO: also merge them when comdline or credentials support to configure them. */
DEFINE_STRING_TABLE_LOOKUP(split_mode, SplitMode);
DEFINE_CONFIG_PARSE_ENUM(config_parse_split_mode, split_mode, SplitMode);
+static const char* const audit_set_mode_table[_AUDIT_SET_MODE_MAX] = {
+ [AUDIT_NO] = "no",
+ [AUDIT_YES] = "yes",
+ [AUDIT_KEEP] = "keep",
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(audit_set_mode, AuditSetMode, AUDIT_YES);
+/* For backward compatibility, an empty string has special meaning and equals to 'keep'. */
+DEFINE_CONFIG_PARSE_ENUM_WITH_DEFAULT(config_parse_audit_set_mode, audit_set_mode, AuditSetMode, AUDIT_KEEP);
+
int config_parse_line_max(
const char *unit,
const char *filename,
uint64_t threshold_bytes;
} JournalCompressOptions;
+typedef enum AuditSetMode {
+ AUDIT_NO = 0, /* Disables the kernel audit subsystem on start. */
+ AUDIT_YES, /* Enables the kernel audit subsystem on start. */
+ AUDIT_KEEP, /* Keep the current kernel audit subsystem state. */
+ _AUDIT_SET_MODE_MAX,
+ _AUDIT_SET_MODE_INVALID = -EINVAL,
+} AuditSetMode;
+
typedef struct JournalConfig {
/* Storage=, cred: journal.storage */
Storage storage;
/* ReadKMsg= */
int read_kmsg;
/* Audit= */
- int set_audit;
+ AuditSetMode set_audit;
/* SyncIntervalSec= */
usec_t sync_interval_usec;
/* RateLimitIntervalSec= */
CONFIG_PARSER_PROTOTYPE(config_parse_compress);
CONFIG_PARSER_PROTOTYPE(config_parse_forward_to_socket);
CONFIG_PARSER_PROTOTYPE(config_parse_split_mode);
+CONFIG_PARSER_PROTOTYPE(config_parse_audit_set_mode);
typedef enum Storage Storage;
typedef enum SplitMode SplitMode;
+typedef enum AuditSetMode AuditSetMode;
typedef struct JournalCompressOptions JournalCompressOptions;
typedef struct JournalConfig JournalConfig;
Journal.Compress, config_parse_compress, 0, offsetof(JournalConfig, compress)
Journal.Seal, config_parse_tristate, 0, offsetof(JournalConfig, seal)
Journal.ReadKMsg, config_parse_tristate, 0, offsetof(JournalConfig, read_kmsg)
-Journal.Audit, config_parse_tristate, 0, offsetof(JournalConfig, set_audit)
+Journal.Audit, config_parse_audit_set_mode, 0, offsetof(JournalConfig, set_audit)
Journal.SyncIntervalSec, config_parse_sec, 0, offsetof(JournalConfig, sync_interval_usec)
# The following is a legacy name for compatibility
Journal.RateLimitInterval, config_parse_sec, 0, offsetof(JournalConfig, ratelimit_interval)
projects / thirdparty / systemd.git / commitdiff
