core: use shared audit-fd wrappers

author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Tue, 14 Jan 2025 14:45:07 +0000 (15:45 +0100)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Wed, 15 Jan 2025 09:35:28 +0000 (10:35 +0100)
author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 14 Jan 2025 14:45:07 +0000 (15:45 +0100)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 15 Jan 2025 09:35:28 +0000 (10:35 +0100)
diff --git a/src/core/audit-fd.c b/src/core/audit-fd.c

index 6674fa8379e612909a9c6c55936c81e433891caa..87b085c1bfe46a54f1cb49c9d7785a9b7a492685 100644 (file)
--- a/src/core/audit-fd.c
+++ b/src/core/audit-fd.c
@@ -5,58 +5,36 @@
  #include "audit-fd.h"
  
  #if HAVE_AUDIT
+#  include <stdbool.h>
  
-#include <libaudit.h>
-#include <stdbool.h>
-
-#include "capability-util.h"
-#include "fd-util.h"
-#include "log.h"
+#  include "audit-util.h"
+#  include "capability-util.h"
  
  static bool initialized = false;
-static int audit_fd;
-
-int get_audit_fd(void) {
+static int audit_fd = -EBADF;
+#endif
  
+int get_core_audit_fd(void) {
+#if HAVE_AUDIT
          if (!initialized) {
-                if (have_effective_cap(CAP_AUDIT_WRITE) <= 0) {
+                if (have_effective_cap(CAP_AUDIT_WRITE) <= 0)
                          audit_fd = -EPERM;
-                        initialized = true;
-
-                        return audit_fd;
-                }
-
-                audit_fd = audit_open();
-
-                if (audit_fd < 0) {
-                        if (!IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
-                                log_error_errno(errno, "Failed to connect to audit log: %m");
-
-                        audit_fd = errno ? -errno : -EINVAL;
-                }
+                else
+                        audit_fd = open_audit_fd_or_warn();
  
                  initialized = true;
          }
  
          return audit_fd;
-}
-
-void close_audit_fd(void) {
-
-        if (initialized && audit_fd >= 0)
-                safe_close(audit_fd);
-
-        initialized = true;
-        audit_fd = -ECONNRESET;
-}
-
  #else
-
-int get_audit_fd(void) {
          return -EAFNOSUPPORT;
+#endif
  }
  
-void close_audit_fd(void) {
-}
-
+void close_core_audit_fd(void) {
+#if HAVE_AUDIT
+        close_audit_fd(audit_fd);
+        initialized = true;
+        audit_fd = -ECONNRESET;
  #endif
+}
diff --git a/src/core/audit-fd.h b/src/core/audit-fd.h

index 5cdf61e52d419794855b1336d4cec0f8af27c443..2fceb433a71a7fc5602591b37c6590eab5752dbf 100644 (file)
--- a/src/core/audit-fd.h
+++ b/src/core/audit-fd.h
@@ -1,5 +1,5 @@
  /* SPDX-License-Identifier: LGPL-2.1-or-later */
  #pragma once
  
-int get_audit_fd(void);
-void close_audit_fd(void);
+int get_core_audit_fd(void);
+void close_core_audit_fd(void);
diff --git a/src/core/manager.c b/src/core/manager.c

index f4fbeaa142cc4adc6d53ce66a88b75b9a3688646..9ddaf0051746ca3f3d0d618bfff5f39d99e9f40d 100644 (file)
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3562,7 +3562,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
          if (MANAGER_IS_RELOADING(m))
                  return;
  
-        audit_fd = get_audit_fd();
+        audit_fd = get_core_audit_fd();
          if (audit_fd < 0)
                  return;
  
@@ -3577,7 +3577,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
                  if (ERRNO_IS_PRIVILEGE(errno)) {
                          /* We aren't allowed to send audit messages?  Then let's not retry again. */
                          log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m");
-                        close_audit_fd();
+                        close_core_audit_fd();
                  } else
                          log_warning_errno(errno, "Failed to send audit message, ignoring: %m");
          }
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c

index a67a520a3be292e7440603cf5cb18c7ce93358c9..8ab488390cbd54e1577594c28eba8976ee9b39a0 100644 (file)
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -98,9 +98,7 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
          const char *fmt2;
  
  #if HAVE_AUDIT
-        int fd;
-
-        fd = get_audit_fd();
+        int fd = get_core_audit_fd();
  
          if (fd >= 0) {
                  _cleanup_free_ char *buf = NULL;
@@ -112,9 +110,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
  
                  if (r >= 0) {
                          if (type == SELINUX_AVC)
-                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
+                                audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
                          else if (type == SELINUX_ERROR)
-                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
+                                audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
  
                          return 0;
                  }
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 14 Jan 2025 14:45:07 +0000 (15:45 +0100)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 15 Jan 2025 09:35:28 +0000 (10:35 +0100)
src/core/audit-fd.c		patch \| blob \| blame \| history
src/core/audit-fd.h		patch \| blob \| blame \| history
src/core/manager.c		patch \| blob \| blame \| history
src/core/selinux-access.c		patch \| blob \| blame \| history