journald: enable audit in the kernel when initializing

Similar to auditd actually turn on auditing as we are starting. This way we can operate entirely without auditd around.
author: Lennart Poettering <lennart@poettering.net> 2014-11-04 00:01:32 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-11-04 00:01:32 +0100
commit: 4d9ced9956755901238fede6fc5a3d7e4e816aa6 (patch)
tree: 3eead67f45b9c742f1a5e28ba0290a1ab2047033 /src/journal
parent: 2b0073e1d2fb0611733e0b83bd41cc753b254593 (diff)
1 files changed, 50 insertions, 0 deletions
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 787ec34bb..0e1e8bd5d 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -438,6 +438,51 @@ void server_process_audit_message(
         process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)), tv);
 }
 
+static int enable_audit(int fd, bool b) {
+        struct {
+                union {
+                        struct nlmsghdr header;
+                        uint8_t header_space[NLMSG_HDRLEN];
+                };
+                struct audit_status body;
+        } _packed_ request = {
+                .header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
+                .header.nlmsg_type = AUDIT_SET,
+                .header.nlmsg_flags = NLM_F_REQUEST,
+                .header.nlmsg_seq = 1,
+                .header.nlmsg_pid = 0,
+                .body.mask = AUDIT_STATUS_ENABLED,
+                .body.enabled = b,
+        };
+        union sockaddr_union sa = {
+                .nl.nl_family = AF_NETLINK,
+                .nl.nl_pid = 0,
+        };
+        struct iovec iovec = {
+                .iov_base = &request,
+                .iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
+        };
+        struct msghdr mh = {
+                .msg_iov = &iovec,
+                .msg_iovlen = 1,
+                .msg_name = &sa.sa,
+                .msg_namelen = sizeof(sa.nl),
+        };
+
+        ssize_t n;
+
+        n = sendmsg(fd, &mh, MSG_NOSIGNAL);
+        if (n < 0)
+                return -errno;
+        if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
+                return -EIO;
+
+        /* We don't wait for the result here, we can't do anything
+         * about it anyway */
+
+        return 0;
+}
+
 int server_open_audit(Server *s) {
         static const int one = 1;
         int r;
@@ -479,5 +524,10 @@ int server_open_audit(Server *s) {
                 return r;
         }
 
+        /* We are listening now, try to enable audit */
+        r = enable_audit(s->audit_fd, true);
+        if (r < 0)
+                log_warning("Failed to issue audit enable call: %s", strerror(-r));
+
         return 0;
 }
author	Lennart Poettering <lennart@poettering.net>	2014-11-04 00:01:32 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-11-04 00:01:32 +0100
commit	4d9ced9956755901238fede6fc5a3d7e4e816aa6 (patch)
tree	3eead67f45b9c742f1a5e28ba0290a1ab2047033 /src/journal
parent	2b0073e1d2fb0611733e0b83bd41cc753b254593 (diff)