From: Zbigniew Jędrzejewski-Szmek Date: Tue, 14 Jan 2025 14:45:07 +0000 (+0100) Subject: core: use shared audit-fd wrappers X-Git-Tag: v258-rc1~1613^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F35957%2Fhead;p=thirdparty%2Fsystemd.git core: use shared audit-fd wrappers Two funcs are renamed to avoid naming conflict with the common helper. --- diff --git a/src/core/audit-fd.c b/src/core/audit-fd.c index 6674fa8379e..87b085c1bfe 100644 --- a/src/core/audit-fd.c +++ b/src/core/audit-fd.c @@ -5,58 +5,36 @@ #include "audit-fd.h" #if HAVE_AUDIT +# include -#include -#include - -#include "capability-util.h" -#include "fd-util.h" -#include "log.h" +# include "audit-util.h" +# include "capability-util.h" static bool initialized = false; -static int audit_fd; - -int get_audit_fd(void) { +static int audit_fd = -EBADF; +#endif +int get_core_audit_fd(void) { +#if HAVE_AUDIT if (!initialized) { - if (have_effective_cap(CAP_AUDIT_WRITE) <= 0) { + if (have_effective_cap(CAP_AUDIT_WRITE) <= 0) audit_fd = -EPERM; - initialized = true; - - return audit_fd; - } - - audit_fd = audit_open(); - - if (audit_fd < 0) { - if (!IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT)) - log_error_errno(errno, "Failed to connect to audit log: %m"); - - audit_fd = errno ? -errno : -EINVAL; - } + else + audit_fd = open_audit_fd_or_warn(); initialized = true; } return audit_fd; -} - -void close_audit_fd(void) { - - if (initialized && audit_fd >= 0) - safe_close(audit_fd); - - initialized = true; - audit_fd = -ECONNRESET; -} - #else - -int get_audit_fd(void) { return -EAFNOSUPPORT; +#endif } -void close_audit_fd(void) { -} - +void close_core_audit_fd(void) { +#if HAVE_AUDIT + close_audit_fd(audit_fd); + initialized = true; + audit_fd = -ECONNRESET; #endif +} diff --git a/src/core/audit-fd.h b/src/core/audit-fd.h index 5cdf61e52d4..2fceb433a71 100644 --- a/src/core/audit-fd.h +++ b/src/core/audit-fd.h @@ -1,5 +1,5 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once -int get_audit_fd(void); -void close_audit_fd(void); +int get_core_audit_fd(void); +void close_core_audit_fd(void); diff --git a/src/core/manager.c b/src/core/manager.c index f4fbeaa142c..9ddaf005174 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -3562,7 +3562,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) { if (MANAGER_IS_RELOADING(m)) return; - audit_fd = get_audit_fd(); + audit_fd = get_core_audit_fd(); if (audit_fd < 0) return; @@ -3577,7 +3577,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) { if (ERRNO_IS_PRIVILEGE(errno)) { /* We aren't allowed to send audit messages? Then let's not retry again. */ log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m"); - close_audit_fd(); + close_core_audit_fd(); } else log_warning_errno(errno, "Failed to send audit message, ignoring: %m"); } diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index a67a520a3be..8ab488390cb 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -98,9 +98,7 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { const char *fmt2; #if HAVE_AUDIT - int fd; - - fd = get_audit_fd(); + int fd = get_core_audit_fd(); if (fd >= 0) { _cleanup_free_ char *buf = NULL; @@ -112,9 +110,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { if (r >= 0) { if (type == SELINUX_AVC) - audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid()); + audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid()); else if (type == SELINUX_ERROR) - audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid()); + audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid()); return 0; }