Compare commits

..

6 Commits

Author SHA1 Message Date
Lennart Poettering 5099fd44ca
Merge pull request #15463 from keszybz/resolvectl-query-formatting
Fix resolvectl query formatting
2020-04-18 15:56:16 +02:00
Lennart Poettering 0d5071fb29
Merge pull request #15444 from poettering/audit-enable
journald: make whether we enable auditing at start-up optional
2020-04-18 15:55:10 +02:00
Zbigniew Jędrzejewski-Szmek 0136b1d1e0 resolvectl: fix indentation of hexdump'ed packets
ebf963c551 changed the 'sep' argument to always
be either " " or "\n", which broke the indentation logic for the first line
in base64_append_width(). Since it now always is one character, and never NULL,
let's change the type to char and simplify the logic a bit.

$ COLUMNS=30 build/test-dns-packet test/test-resolve/org~20200417.pkts
============== test/test-resolve/org~20200417.pkts ==============
org IN DNSKEY 256 3 RSASHA1-NSEC3-SHA1
        AwEAAcLPVEcg0hFBheXQf
        QOqqLiRgckk69o2KTAsq3
        lNRY0c9mnEjzZDGsGmXNy
        2EQ6yelkIYYus7KLor2Fz
        x59hEqcM82zqkdHV6hXvZ
        yjxxSHG3nl8xQS6gF8mdI
        YouDTWWhTInfjSKoIeDok
        Hq3S67EjSngV7/wVCMTbI
        amS0NF4H
        -- Flags: ZONE_KEY
        -- Key tag: 37022
...

$ COLUMNS=120 build/test-dns-packet test/test-resolve/org~20200417.pkts
============== test/test-resolve/org~20200417.pkts ==============
org IN DNSKEY 256 3 RSASHA1-NSEC3-SHA1 AwEAAcLPVEcg0hFBheXQfQOqqLiRgckk69o2KTAsq3lNRY0c9mnEjzZDGsGmXNy2EQ6yelkIYYus7KLor
                                       2Fzx59hEqcM82zqkdHV6hXvZyjxxSHG3nl8xQS6gF8mdIYouDTWWhTInfjSKoIeDokHq3S67EjSngV7/w
                                       VCMTbIamS0NF4H
        -- Flags: ZONE_KEY
        -- Key tag: 37022
...
2020-04-17 18:29:42 +02:00
Zbigniew Jędrzejewski-Szmek 2cb9a8b963 test-resolve: add a bunch more packets for testing
Let's append the date to the domain in the file name, to be able
to have multiple versions for the same domain.

There is no particular rhyme or reason to the domains being used:
I just pulled a few domains that happened to be present in issues reported
on github, even though the issues were not about pretty printing.
2020-04-17 18:29:15 +02:00
Lennart Poettering 0648f9beb9 errno-util: let's beef up ERRNO_IS_NOT_SUPPORTED() with socket not supported errors 2020-04-17 16:05:56 +02:00
Lennart Poettering 511e03a3ee journald: add configuration option for enabling/disabling audit during journald startup
Let's make it optional whether auditing is enabled at journald start-up
or not.

Note that this only controls whether audit is enabled/disabled in the
kernel. Either way we'll still collect the audit data if it is
generated, i.e. if some other tool enables it, we'll collect it.

Fixes: #959
2020-04-17 16:05:22 +02:00
14 changed files with 45 additions and 18 deletions

View File

@ -402,6 +402,18 @@
this option is enabled by default, it is disabled in all others.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Audit=</varname></term>
<listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
disable it, leaving the previous state unchanged. Note that this option does not control whether
<command>systemd-journald</command> collects generated audit records, it just controls whether it
tells the kernel to generate them. This means if another tool turns on auditing even if
<command>systemd-journald</command> left it off, it will still collect the generated
messages. Defaults to on.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>TTYPath=</varname></term>

View File

@ -87,12 +87,16 @@ static inline bool ERRNO_IS_RESOURCE(int r) {
ENOMEM);
}
/* Three different errors for "operation/system call/ioctl not supported" */
/* Seven different errors for "operation/system call/ioctl/socket feature not supported" */
static inline bool ERRNO_IS_NOT_SUPPORTED(int r) {
return IN_SET(abs(r),
EOPNOTSUPP,
ENOTTY,
ENOSYS);
ENOSYS,
EAFNOSUPPORT,
EPFNOSUPPORT,
EPROTONOSUPPORT,
ESOCKTNOSUPPORT);
}
/* Two different errors for access problems */

View File

@ -599,13 +599,13 @@ ssize_t base64mem(const void *p, size_t l, char **out) {
static int base64_append_width(
char **prefix, int plen,
const char *sep, int indent,
char sep, int indent,
const void *p, size_t l,
int width) {
_cleanup_free_ char *x = NULL;
char *t, *s;
ssize_t len, slen, avail, line, lines;
ssize_t len, avail, line, lines;
len = base64mem(p, l, &x);
if (len <= 0)
@ -613,21 +613,20 @@ static int base64_append_width(
lines = DIV_ROUND_UP(len, width);
slen = strlen_ptr(sep);
if (plen >= SSIZE_MAX - 1 - slen ||
lines > (SSIZE_MAX - plen - 1 - slen) / (indent + width + 1))
if ((size_t) plen >= SSIZE_MAX - 1 - 1 ||
lines > (SSIZE_MAX - plen - 1 - 1) / (indent + width + 1))
return -ENOMEM;
t = realloc(*prefix, (ssize_t) plen + 1 + slen + (indent + width + 1) * lines);
t = realloc(*prefix, (ssize_t) plen + 1 + 1 + (indent + width + 1) * lines);
if (!t)
return -ENOMEM;
memcpy_safe(t + plen, sep, slen);
t[plen] = sep;
for (line = 0, s = t + plen + slen, avail = len; line < lines; line++) {
for (line = 0, s = t + plen + 1, avail = len; line < lines; line++) {
int act = MIN(width, avail);
if (line > 0 || sep) {
if (line > 0 || sep == '\n') {
memset(s, ' ', indent);
s += indent;
}
@ -650,10 +649,10 @@ int base64_append(
if (plen > width / 2 || plen + indent > width)
/* leave indent on the left, keep last column free */
return base64_append_width(prefix, plen, "\n", indent, p, l, width - indent - 1);
return base64_append_width(prefix, plen, '\n', indent, p, l, width - indent - 1);
else
/* leave plen on the left, keep last column free */
return base64_append_width(prefix, plen, " ", plen, p, l, width - plen - 1);
return base64_append_width(prefix, plen, ' ', plen + 1, p, l, width - plen - 1);
}
static int unbase64_next(const char **p, size_t *l) {

View File

@ -2,6 +2,7 @@
#include "alloc-util.h"
#include "audit-type.h"
#include "errno-util.h"
#include "fd-util.h"
#include "hexdecoct.h"
#include "io-util.h"
@ -512,7 +513,7 @@ int server_open_audit(Server *s) {
s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
if (s->audit_fd < 0) {
if (IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
if (ERRNO_IS_NOT_SUPPORTED(errno))
log_debug("Audit not supported in the kernel.");
else
log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");
@ -539,10 +540,16 @@ int server_open_audit(Server *s) {
if (r < 0)
return log_error_errno(r, "Failed to add audit fd to event loop: %m");
/* We are listening now, try to enable audit */
r = enable_audit(s->audit_fd, true);
if (s->set_audit >= 0) {
/* We are listening now, try to enable audit if configured so */
r = enable_audit(s->audit_fd, s->set_audit);
if (r < 0)
log_warning_errno(r, "Failed to issue audit enable call: %m");
else if (s->set_audit > 0)
log_debug("Auditing in kernel turned on.");
else
log_debug("Auditing in kernel turned off.");
}
return 0;
}

View File

@ -22,6 +22,7 @@ Journal.Storage, config_parse_storage, 0, offsetof(Server, storage
Journal.Compress, config_parse_compress, 0, offsetof(Server, compress)
Journal.Seal, config_parse_bool, 0, offsetof(Server, seal)
Journal.ReadKMsg, config_parse_bool, 0, offsetof(Server, read_kmsg)
Journal.Audit, config_parse_tristate, 0, offsetof(Server, set_audit)
Journal.SyncIntervalSec, config_parse_sec, 0, offsetof(Server, sync_interval_usec)
# The following is a legacy name for compatibility
Journal.RateLimitInterval, config_parse_sec, 0, offsetof(Server, ratelimit_interval)

View File

@ -2208,6 +2208,8 @@ int server_init(Server *s, const char *namespace) {
.compress.threshold_bytes = (uint64_t) -1,
.seal = true,
.set_audit = true,
.watchdog_usec = USEC_INFINITY,
.sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC,

View File

@ -108,6 +108,7 @@ struct Server {
JournalCompressOptions compress;
bool seal;
bool read_kmsg;
int set_audit;
bool forward_to_kmsg;
bool forward_to_syslog;

View File

@ -41,3 +41,4 @@
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#Audit=yes

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.