From: Yu Watanabe Date: Sat, 27 Jun 2026 06:04:24 +0000 (+0900) Subject: sd-journal: allow to read sealed journal files when sealing is not supported X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2e077b57a7fa6e2533bc23106dcbfdecc543a46a;p=thirdparty%2Fsystemd.git sd-journal: allow to read sealed journal files when sealing is not supported --- diff --git a/src/libsystemd/sd-journal/journal-authenticate-internal.c b/src/libsystemd/sd-journal/journal-authenticate-internal.c index 7c23b4f0ce6..acb4c221bc4 100644 --- a/src/libsystemd/sd-journal/journal-authenticate-internal.c +++ b/src/libsystemd/sd-journal/journal-authenticate-internal.c @@ -12,6 +12,10 @@ void journal_auth_set_ops(const JournalAuthOps *ops) { auth_ops = ops; } +bool journal_auth_supported(void) { + return !!auth_ops; +} + void journal_file_auth_done(JournalFile *f) { assert(f); diff --git a/src/libsystemd/sd-journal/journal-authenticate-internal.h b/src/libsystemd/sd-journal/journal-authenticate-internal.h index 0c5e559370e..5d5d94be202 100644 --- a/src/libsystemd/sd-journal/journal-authenticate-internal.h +++ b/src/libsystemd/sd-journal/journal-authenticate-internal.h @@ -21,6 +21,7 @@ typedef struct JournalAuthOps { } JournalAuthOps; void journal_auth_set_ops(const JournalAuthOps *ops); +bool journal_auth_supported(void); void journal_file_auth_done(JournalFile *f); int journal_file_auth_load(JournalFile *f); diff --git a/src/libsystemd/sd-journal/journal-def.h b/src/libsystemd/sd-journal/journal-def.h index 9dd3d25dc45..a48554cee1d 100644 --- a/src/libsystemd/sd-journal/journal-def.h +++ b/src/libsystemd/sd-journal/journal-def.h @@ -210,7 +210,8 @@ enum { HEADER_COMPATIBLE_TAIL_ENTRY_BOOT_ID | HEADER_COMPATIBLE_SEALED_CONTINUOUS, - HEADER_COMPATIBLE_SUPPORTED = (HAVE_GCRYPT ? HEADER_COMPATIBLE_SEALED | HEADER_COMPATIBLE_SEALED_CONTINUOUS : 0) | + HEADER_COMPATIBLE_SUPPORTED = HEADER_COMPATIBLE_SEALED | + HEADER_COMPATIBLE_SEALED_CONTINUOUS | HEADER_COMPATIBLE_TAIL_ENTRY_BOOT_ID, }; diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c index 2a4e71b7764..41e06086d20 100644 --- a/src/libsystemd/sd-journal/journal-file.c +++ b/src/libsystemd/sd-journal/journal-file.c @@ -457,14 +457,19 @@ static int journal_file_refresh_header(JournalFile *f) { } static bool warn_wrong_flags(const JournalFile *f, bool compatible) { - const uint32_t any = compatible ? HEADER_COMPATIBLE_ANY : HEADER_INCOMPATIBLE_ANY, - supported = compatible ? HEADER_COMPATIBLE_SUPPORTED : HEADER_INCOMPATIBLE_SUPPORTED; + const uint32_t any = compatible ? HEADER_COMPATIBLE_ANY : HEADER_INCOMPATIBLE_ANY; + uint32_t supported = compatible ? HEADER_COMPATIBLE_SUPPORTED : HEADER_INCOMPATIBLE_SUPPORTED; const char *type = compatible ? "compatible" : "incompatible"; uint32_t flags; assert(f); assert(f->header); + /* When sealing is not supported, refuse to write to an already sealed journal file, but still allow + * reading sealed journal files. */ + if (compatible && journal_file_writable(f) && !journal_auth_supported()) + supported &= ~(HEADER_COMPATIBLE_SEALED | HEADER_COMPATIBLE_SEALED_CONTINUOUS); + flags = le32toh(compatible ? f->header->compatible_flags : f->header->incompatible_flags); if (flags & ~supported) {