Merge pull request #15463 from keszybz/resolvectl-query-formatting

Fix resolvectl query formatting

man/journald.conf.xml

@@ -402,6 +402,18 @@
         this option is enabled by default, it is disabled in all others.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>Audit=</varname></term>
+
+        <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+        kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+        disable it, leaving the previous state unchanged. Note that this option does not control whether
+        <command>systemd-journald</command> collects generated audit records, it just controls whether it
+        tells the kernel to generate them. This means if another tool turns on auditing even if
+        <command>systemd-journald</command> left it off, it will still collect the generated
+        messages. Defaults to on.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>TTYPath=</varname></term>
 

src/basic/errno-util.h

@@ -87,12 +87,16 @@ static inline bool ERRNO_IS_RESOURCE(int r) {
                       ENOMEM);
 }
 
-/* Three different errors for "operation/system call/ioctl not supported" */
+/* Seven different errors for "operation/system call/ioctl/socket feature not supported" */
 static inline bool ERRNO_IS_NOT_SUPPORTED(int r) {
         return IN_SET(abs(r),
                       EOPNOTSUPP,
                       ENOTTY,
-                      ENOSYS);
+                      ENOSYS,
+                      EAFNOSUPPORT,
+                      EPFNOSUPPORT,
+                      EPROTONOSUPPORT,
+                      ESOCKTNOSUPPORT);
 }
 
 /* Two different errors for access problems */

src/basic/hexdecoct.c

@@ -599,13 +599,13 @@ ssize_t base64mem(const void *p, size_t l, char **out) {
 
 static int base64_append_width(
                 char **prefix, int plen,
-                const char *sep, int indent,
+                char sep, int indent,
                 const void *p, size_t l,
                 int width) {
 
         _cleanup_free_ char *x = NULL;
         char *t, *s;
-        ssize_t len, slen, avail, line, lines;
+        ssize_t len, avail, line, lines;
 
         len = base64mem(p, l, &x);
         if (len <= 0)
@@ -613,21 +613,20 @@ static int base64_append_width(
 
         lines = DIV_ROUND_UP(len, width);
 
-        slen = strlen_ptr(sep);
+        if ((size_t) plen >= SSIZE_MAX - 1 - 1 ||
-        if (plen >= SSIZE_MAX - 1 - slen ||
+            lines > (SSIZE_MAX - plen - 1 - 1) / (indent + width + 1))
-            lines > (SSIZE_MAX - plen - 1 - slen) / (indent + width + 1))
                 return -ENOMEM;
 
-        t = realloc(*prefix, (ssize_t) plen + 1 + slen + (indent + width + 1) * lines);
+        t = realloc(*prefix, (ssize_t) plen + 1 + 1 + (indent + width + 1) * lines);
         if (!t)
                 return -ENOMEM;
 
-        memcpy_safe(t + plen, sep, slen);
+        t[plen] = sep;
 
-        for (line = 0, s = t + plen + slen, avail = len; line < lines; line++) {
+        for (line = 0, s = t + plen + 1, avail = len; line < lines; line++) {
                 int act = MIN(width, avail);
 
-                if (line > 0 || sep) {
+                if (line > 0 || sep == '\n') {
                         memset(s, ' ', indent);
                         s += indent;
                 }
@@ -650,10 +649,10 @@ int base64_append(
 
         if (plen > width / 2 || plen + indent > width)
                 /* leave indent on the left, keep last column free */
-                return base64_append_width(prefix, plen, "\n", indent, p, l, width - indent - 1);
+                return base64_append_width(prefix, plen, '\n', indent, p, l, width - indent - 1);
         else
                 /* leave plen on the left, keep last column free */
-                return base64_append_width(prefix, plen, " ", plen, p, l, width - plen - 1);
+                return base64_append_width(prefix, plen, ' ', plen + 1, p, l, width - plen - 1);
 }
 
 static int unbase64_next(const char **p, size_t *l) {

src/journal/journald-audit.c

@@ -2,6 +2,7 @@
 
 #include "alloc-util.h"
 #include "audit-type.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "hexdecoct.h"
 #include "io-util.h"
@@ -512,7 +513,7 @@ int server_open_audit(Server *s) {
 
                 s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
                 if (s->audit_fd < 0) {
-                        if (IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
+                        if (ERRNO_IS_NOT_SUPPORTED(errno))
                                 log_debug("Audit not supported in the kernel.");
                         else
                                 log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");
@@ -539,10 +540,16 @@ int server_open_audit(Server *s) {
         if (r < 0)
                 return log_error_errno(r, "Failed to add audit fd to event loop: %m");
 
-        /* We are listening now, try to enable audit */
+        if (s->set_audit >= 0) {
-        r = enable_audit(s->audit_fd, true);
+                /* We are listening now, try to enable audit if configured so */
+                r = enable_audit(s->audit_fd, s->set_audit);
                 if (r < 0)
                         log_warning_errno(r, "Failed to issue audit enable call: %m");
+                else if (s->set_audit > 0)
+                        log_debug("Auditing in kernel turned on.");
+                else
+                        log_debug("Auditing in kernel turned off.");
+        }
 
         return 0;
 }

src/journal/journald-gperf.gperf

@@ -22,6 +22,7 @@ Journal.Storage,            config_parse_storage,    0, offsetof(Server, storage
 Journal.Compress,           config_parse_compress,   0, offsetof(Server, compress)
 Journal.Seal,               config_parse_bool,       0, offsetof(Server, seal)
 Journal.ReadKMsg,           config_parse_bool,       0, offsetof(Server, read_kmsg)
+Journal.Audit,              config_parse_tristate,   0, offsetof(Server, set_audit)
 Journal.SyncIntervalSec,    config_parse_sec,        0, offsetof(Server, sync_interval_usec)
 # The following is a legacy name for compatibility
 Journal.RateLimitInterval,  config_parse_sec,        0, offsetof(Server, ratelimit_interval)

src/journal/journald-server.c

@@ -2208,6 +2208,8 @@ int server_init(Server *s, const char *namespace) {
                 .compress.threshold_bytes = (uint64_t) -1,
                 .seal = true,
 
+                .set_audit = true,
+
                 .watchdog_usec = USEC_INFINITY,
 
                 .sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC,

src/journal/journald-server.h

@@ -108,6 +108,7 @@ struct Server {
         JournalCompressOptions compress;
         bool seal;
         bool read_kmsg;
+        int set_audit;
 
         bool forward_to_kmsg;
         bool forward_to_syslog;

src/journal/journald.conf

@@ -41,3 +41,4 @@
 #MaxLevelWall=emerg
 #LineMax=48K
 #ReadKMsg=yes
+#Audit=yes