2025-11-22 10:14:45 +01:00
10 changed files with 16 additions and 48 deletions
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@ -478,14 +478,11 @@
      <varlistentry>
        <term><varname>Audit=</varname></term>
-        <listitem><para>Takes a boolean value or special value <literal>keep</literal>. If enabled
+        <listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on
-        <command>systemd-journald</command> will turn on kernel auditing on start-up. If disabled it will
+        kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
-        turn it off. When <literal>keep</literal> it will neither enable nor disable it, leaving the previous
+        disable it, leaving the previous state unchanged.  This means if another tool turns on auditing even
-        state unchanged. This means if another tool turns on auditing even if
+        if <command>systemd-journald</command> left it off, it will still collect the generated
-        <command>systemd-journald</command> left it off, it will still collect the generated messages.
+        messages. Defaults to on in the default journal namespace, and unset otherwise.</para>
        Defaults to yes in the default journal namespace, and <literal>keep</literal> otherwise.</para>
        <!-- Explicit assignment of an empty string is equivalent to 'keep', for backward compatibility. -->
        <para>Note that this option does not control whether <command>systemd-journald</command> collects
        generated audit records, it just controls whether it tells the kernel to generate them. If you need
--- a/src/core/systemd.pc.in
+++ b/src/core/systemd.pc.in
@ -91,9 +91,11 @@ catalog_dir=${prefix}/lib/systemd/catalog
 catalogdir=${catalog_dir}
 system_alloc_uid_min={{SYSTEM_ALLOC_UID_MIN}}
 systemallocuidmin=${system_alloc_uid_min}
 system_uid_max={{SYSTEM_UID_MAX}}
 systemuidmax=${system_uid_max}
 system_alloc_gid_min={{SYSTEM_ALLOC_GID_MIN}}
 systemallocgidmin=${system_alloc_gid_min}
 system_gid_max={{SYSTEM_GID_MAX}}
 systemgidmax=${system_gid_max}
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@ -465,14 +465,10 @@ static int manager_set_kernel_audit(Manager *m) {
        assert(m);
        assert(m->audit_fd >= 0);
        assert(m->config.set_audit >= 0);
-        if (m->config.set_audit == AUDIT_KEEP)
+        if (m->config.set_audit < 0)
                return 0;
        /* In the following, we can handle 'set_audit' as a boolean. */
        assert(IN_SET(m->config.set_audit, AUDIT_NO, AUDIT_YES));
        struct {
                union {
                        struct nlmsghdr header;
@ -561,7 +557,7 @@ int manager_open_audit(Manager *m) {
        return 0;
 }
-void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit) {
+void manager_reset_kernel_audit(Manager *m, int old_set_audit) {
        assert(m);
        if (m->audit_fd < 0)
--- a/src/journal/journald-audit.h
+++ b/src/journal/journald-audit.h
@ -10,4 +10,4 @@ void manager_process_audit_message(Manager *m, const void *buffer, size_t buffer
 void process_audit_string(Manager *m, int type, const char *data, size_t size);
 int manager_open_audit(Manager *m);
-void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit);
+void manager_reset_kernel_audit(Manager *m, int old_set_audit);
--- a/src/journal/journald-config.c
+++ b/src/journal/journald-config.c
@ -46,7 +46,7 @@ void journal_config_set_defaults(JournalConfig *c) {
                .compress.threshold_bytes = UINT64_MAX,
                .seal = -1,
                .read_kmsg = -1,
-                .set_audit = _AUDIT_SET_MODE_INVALID,
+                .set_audit = -1,
                .ratelimit_interval = DEFAULT_RATE_LIMIT_INTERVAL,
                .ratelimit_burst = DEFAULT_RATE_LIMIT_BURST,
                .forward_to_syslog = -1,
@ -59,7 +59,6 @@ void journal_config_set_defaults(JournalConfig *c) {
                .max_level_console = -1,
                .max_level_wall = -1,
                .max_level_socket = -1,
                .split_mode = _SPLIT_INVALID,
        };
        journal_reset_metrics(&c->system_storage_metrics);
@ -123,7 +122,7 @@ void manager_merge_configs(Manager *m) {
        MERGE_NON_NEGATIVE(read_kmsg, !m->namespace);
        /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by
         * non-default namespace instances. */
-        MERGE_NON_NEGATIVE(set_audit, m->namespace ? AUDIT_KEEP : AUDIT_YES);
+        MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true);
        MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC);
        /* TODO: also merge them when comdline or credentials support to configure them. */
@ -402,16 +401,6 @@ static const char* const split_mode_table[_SPLIT_MAX] = {
 DEFINE_STRING_TABLE_LOOKUP(split_mode, SplitMode);
 DEFINE_CONFIG_PARSE_ENUM(config_parse_split_mode, split_mode, SplitMode);
 static const char* const audit_set_mode_table[_AUDIT_SET_MODE_MAX] = {
        [AUDIT_NO]   = "no",
        [AUDIT_YES]  = "yes",
        [AUDIT_KEEP] = "keep",
 };
 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(audit_set_mode, AuditSetMode, AUDIT_YES);
 /* For backward compatibility, an empty string has special meaning and equals to 'keep'. */
 DEFINE_CONFIG_PARSE_ENUM_WITH_DEFAULT(config_parse_audit_set_mode, audit_set_mode, AuditSetMode, AUDIT_KEEP);
 int config_parse_line_max(
                const char *unit,
                const char *filename,
--- a/src/journal/journald-config.h
+++ b/src/journal/journald-config.h
@ -27,14 +27,6 @@ typedef struct JournalCompressOptions {
        uint64_t threshold_bytes;
 } JournalCompressOptions;
 typedef enum AuditSetMode {
        AUDIT_NO = 0, /* Disables the kernel audit subsystem on start. */
        AUDIT_YES,    /* Enables the kernel audit subsystem on start. */
        AUDIT_KEEP,   /* Keep the current kernel audit subsystem state. */
        _AUDIT_SET_MODE_MAX,
        _AUDIT_SET_MODE_INVALID = -EINVAL,
 } AuditSetMode;
 typedef struct JournalConfig {
        /* Storage=, cred: journal.storage */
        Storage storage;
@ -45,7 +37,7 @@ typedef struct JournalConfig {
        /* ReadKMsg= */
        int read_kmsg;
        /* Audit= */
-        AuditSetMode set_audit;
+        int set_audit;
        /* SyncIntervalSec= */
        usec_t sync_interval_usec;
        /* RateLimitIntervalSec= */
@ -110,4 +102,3 @@ CONFIG_PARSER_PROTOTYPE(config_parse_line_max);
 CONFIG_PARSER_PROTOTYPE(config_parse_compress);
 CONFIG_PARSER_PROTOTYPE(config_parse_forward_to_socket);
 CONFIG_PARSER_PROTOTYPE(config_parse_split_mode);
 CONFIG_PARSER_PROTOTYPE(config_parse_audit_set_mode);
--- a/src/journal/journald-forward.h
+++ b/src/journal/journald-forward.h
@ -6,7 +6,6 @@
 typedef enum Storage Storage;
 typedef enum SplitMode SplitMode;
 typedef enum AuditSetMode AuditSetMode;
 typedef struct JournalCompressOptions JournalCompressOptions;
 typedef struct JournalConfig JournalConfig;
--- a/src/journal/journald-gperf.gperf
+++ b/src/journal/journald-gperf.gperf
@ -23,7 +23,7 @@ Journal.Storage,              config_parse_storage,           0, offsetof(Journa
 Journal.Compress,             config_parse_compress,          0, offsetof(JournalConfig, compress)
 Journal.Seal,                 config_parse_tristate,          0, offsetof(JournalConfig, seal)
 Journal.ReadKMsg,             config_parse_tristate,          0, offsetof(JournalConfig, read_kmsg)
-Journal.Audit,                config_parse_audit_set_mode,    0, offsetof(JournalConfig, set_audit)
+Journal.Audit,                config_parse_tristate,          0, offsetof(JournalConfig, set_audit)
 Journal.SyncIntervalSec,      config_parse_sec,               0, offsetof(JournalConfig, sync_interval_usec)
 # The following is a legacy name for compatibility
 Journal.RateLimitInterval,    config_parse_sec,               0, offsetof(JournalConfig, ratelimit_interval)
--- a/src/shared/libaudit-util.c
+++ b/src/shared/libaudit-util.c
@ -19,10 +19,8 @@ DLSYM_PROTOTYPE(audit_log_acct_message) = NULL;
 DLSYM_PROTOTYPE(audit_log_user_avc_message) = NULL;
 DLSYM_PROTOTYPE(audit_log_user_comm_message) = NULL;
 static DLSYM_PROTOTYPE(audit_open) = NULL;
 #endif
 int dlopen_libaudit(void) {
 #if HAVE_AUDIT
        ELF_NOTE_DLOPEN("libaudit",
                        "Support for Audit logging",
                        ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED,
@ -37,12 +35,8 @@ int dlopen_libaudit(void) {
                        DLSYM_ARG(audit_log_user_avc_message),
                        DLSYM_ARG(audit_log_user_comm_message),
                        DLSYM_ARG(audit_open));
 #else
        return -EOPNOTSUPP;
 #endif
 }
 #if HAVE_AUDIT
 static int try_audit_request(int fd) {
        struct iovec iov;
        struct msghdr mh;
--- a/src/shared/libaudit-util.h
+++ b/src/shared/libaudit-util.h
@ -3,8 +3,6 @@
 #include "forward.h"
 int dlopen_libaudit(void);
 #if HAVE_AUDIT
 #  include <libaudit.h>         /* IWYU pragma: export */
@ -13,6 +11,8 @@ int dlopen_libaudit(void);
 extern DLSYM_PROTOTYPE(audit_log_acct_message);
 extern DLSYM_PROTOTYPE(audit_log_user_avc_message);
 extern DLSYM_PROTOTYPE(audit_log_user_comm_message);
 int dlopen_libaudit(void);
 #endif
 bool use_audit(void);