- Rework how we prevent journald from both enabling auditd and

OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1116
This commit is contained in:
Franck Bui 2020-09-10 14:46:13 +00:00 committed by Git OBS Bridge
parent bcf18a18c7
commit b18f220114
5 changed files with 68 additions and 82 deletions

View File

@ -1,80 +0,0 @@
From aeb4ca8cf65ee8f22cf7635fea2c501c015fc906 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Wed, 29 Jun 2016 17:55:35 +0200
Subject: [PATCH 10/12] journald: disable audit support completely from the
journal
This patch not only prevents journald to enable audit system
unconditionally very early at boot but also prevents it to receive
audit messages for the audit netlink and to push them into the
journal.
The first reason is that when journald enables kernel audit, it does
not disable syscall audit (it doesn't load the audit rules), which
introduced a global performance hit. This can be minimized if audit
service is started but that's not the case for all systems.
The second reason is that for systems where audit was disabled by
default they will suddenly have audit enabled (unless audit=0 was
already passed to the kernel command line). This means tons of audit
messages will be sent to dmesg, syslog, journal files, etc...
Note also that audit messages are duplicated in the journal since they
are received both from kmsg and from the audit netlink. A related bug
report can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=1160046.
This basically reverts the following upstream commits:
- 875c2e220e2611165e09051c4747971811f1de58
- 4d9ced9956755901238fede6fc5a3d7e4e816aa6
Upstream issue:
https://github.com/systemd/systemd/issues/959
So disable all of this for now until a better option is found or
someone comes up with a real use case.
Also drop systemd-journald-audit.socket, indeed audit-logs-in-journal 'feature'
has been removed but the socket was still shipped and was statically
enabled. Therefore if auditd service was enabled, incoming messages could be
queued up to 128M and were never read (hence freed) by journald.
[fbui: fixes bsc#984034]
[fbui: fixes bsc#1109252]
---
src/journal/journald-server.c | 4 ++--
units/meson.build | 2 --
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 5865bf9809..14934080cd 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2384,8 +2384,8 @@ int server_init(Server *s, const char *namespace) {
if (r < 0)
return r;
- /* Unless we got *some* sockets and not audit, open audit socket */
- if (s->audit_fd >= 0 || no_sockets) {
+ /* Suse: disable audit messages in journal entirely. */
+ if (false && no_sockets) {
r = server_open_audit(s);
if (r < 0)
return r;
diff --git a/units/meson.build b/units/meson.build
index dadc9432ef..a31acd3b05 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -110,8 +110,6 @@ units = [
'sysinit.target.wants/'],
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
- ['systemd-journald-audit.socket', '',
- 'sockets.target.wants/'],
['systemd-journald-dev-log.socket', '',
'sockets.target.wants/'],
['systemd-journald.socket', '',
--
2.26.2

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Sep 10 12:59:54 UTC 2020 - Franck Bui <fbui@suse.com>
- Rework how we prevent journald from both enabling auditd and
recording audit messages
journald.conf gained a new setting Audit= to control whether
journald enables audit during the boot process. So let's use it and
make sure it's disabled by default by shipping a drop-in that
overrides upstream default.
Also we used to patch systemd to prevent journald from reading the
audit messages. There's still no way for downstream to configure
that properly (we would need to mask systemd-journald-audit.socket
meaning shipping a symlink in /etc) but I think dropping
systemd-journald-audit.socket from the package is a nicer way to do
that as some users might choose to reenable this setting (by
reintroducing the socket unit in /etc).
-------------------------------------------------------------------
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>

View File

@ -173,7 +173,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
@ -798,6 +797,19 @@ fi
# which may still be used by yast.
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
# Create a drop-in to prevent journald from starting auditd during
# boot (bsc#984034).
mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d
cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf <<EOF
[Journal]
Audit=no
EOF
# Don't ship systemd-journald-audit.socket as there's no other way for
# us to prevent journald from recording audit messages in the journal
# by default (bsc#1109252).
rm -f %{buildroot}%{_unitdir}/systemd-journald-audit.socket
%if ! 0%{?bootstrap}
%find_lang systemd
%endif
@ -1247,6 +1259,8 @@ fi
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
%config(noreplace) %{_sysconfdir}/systemd/user.conf
%{_prefix}/lib/systemd/journald.conf.d/
%dir %{_datadir}/dbus-1
%dir %{_datadir}/dbus-1/services
%dir %{_datadir}/dbus-1/system.d

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Sep 10 12:59:54 UTC 2020 - Franck Bui <fbui@suse.com>
- Rework how we prevent journald from both enabling auditd and
recording audit messages
journald.conf gained a new setting Audit= to control whether
journald enables audit during the boot process. So let's use it and
make sure it's disabled by default by shipping a drop-in that
overrides upstream default.
Also we used to patch systemd to prevent journald from reading the
audit messages. There's still no way for downstream to configure
that properly (we would need to mask systemd-journald-audit.socket
meaning shipping a symlink in /etc) but I think dropping
systemd-journald-audit.socket from the package is a nicer way to do
that as some users might choose to reenable this setting (by
reintroducing the socket unit in /etc).
-------------------------------------------------------------------
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>

View File

@ -171,7 +171,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
@ -796,6 +795,19 @@ fi
# which may still be used by yast.
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
# Create a drop-in to prevent journald from starting auditd during
# boot (bsc#984034).
mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d
cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf <<EOF
[Journal]
Audit=no
EOF
# Don't ship systemd-journald-audit.socket as there's no other way for
# us to prevent journald from recording audit messages in the journal
# by default (bsc#1109252).
rm -f %{buildroot}%{_unitdir}/systemd-journald-audit.socket
%if ! 0%{?bootstrap}
%find_lang systemd
%endif
@ -1245,6 +1257,8 @@ fi
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
%config(noreplace) %{_sysconfdir}/systemd/user.conf
%{_prefix}/lib/systemd/journald.conf.d/
%dir %{_datadir}/dbus-1
%dir %{_datadir}/dbus-1/services
%dir %{_datadir}/dbus-1/system.d