audit-fd: check for CAP_AUDIT_WRITE before opening an audit socket

Adds a check to audit-fd.c to ensure that CAP_AUDIT_WRITE is present in
the set of effective capabilities before opening an audit netlink
socket.  This ensures that unprivileged systemd instances (MANAGER_USER)
don't try to log AVC permission checks with the audit subsystem when
CAP_AUDIT_WRITE is not present.

diff --git a/src/core/audit-fd.c b/src/core/audit-fd.c
index 76afe3fe15ad8aefa39bb9909172b6964e22abc7..a91906b626de037b5d33833673c9be91ff0eb17b 100644 (file)
--- a/src/core/audit-fd.c
+++ b/src/core/audit-fd.c
@@ -27,6 +27,7 @@
 #include <libaudit.h>
 #include <stdbool.h>
 
+#include "capability-util.h"
 #include "fd-util.h"
 #include "log.h"
 #include "util.h"
@@ -37,6 +38,13 @@ static int audit_fd;
 int get_audit_fd(void) {
 
         if (!initialized) {
+                if (have_effective_cap(CAP_AUDIT_WRITE) == 0) {
+                        audit_fd = -EPERM;
+                        initialized = true;
+
+                        return audit_fd;
+                }
+
                 audit_fd = audit_open();
 
                 if (audit_fd < 0) {