Accepting request 833500 from home:fbui:systemd:openSUSE-Factory
- Rework how we prevent journald from both enabling auditd and OBS-URL: https://build.opensuse.org/request/show/833500 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1116
This commit is contained in:
Franck Bui
Git OBS Bridge
parent
b7b0ea0222
commit
9f480b6a46
@ -1,80 +0,0 @@
|
||||
From aeb4ca8cf65ee8f22cf7635fea2c501c015fc906 Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Wed, 29 Jun 2016 17:55:35 +0200
|
||||
Subject: [PATCH 10/12] journald: disable audit support completely from the
|
||||
journal
|
||||
|
||||
This patch not only prevents journald to enable audit system
|
||||
unconditionally very early at boot but also prevents it to receive
|
||||
audit messages for the audit netlink and to push them into the
|
||||
journal.
|
||||
|
||||
The first reason is that when journald enables kernel audit, it does
|
||||
not disable syscall audit (it doesn't load the audit rules), which
|
||||
introduced a global performance hit. This can be minimized if audit
|
||||
service is started but that's not the case for all systems.
|
||||
|
||||
The second reason is that for systems where audit was disabled by
|
||||
default they will suddenly have audit enabled (unless audit=0 was
|
||||
already passed to the kernel command line). This means tons of audit
|
||||
messages will be sent to dmesg, syslog, journal files, etc...
|
||||
|
||||
Note also that audit messages are duplicated in the journal since they
|
||||
are received both from kmsg and from the audit netlink. A related bug
|
||||
report can be found here:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1160046.
|
||||
|
||||
This basically reverts the following upstream commits:
|
||||
|
||||
- 875c2e220e2611165e09051c4747971811f1de58
|
||||
- 4d9ced9956755901238fede6fc5a3d7e4e816aa6
|
||||
|
||||
Upstream issue:
|
||||
https://github.com/systemd/systemd/issues/959
|
||||
|
||||
So disable all of this for now until a better option is found or
|
||||
someone comes up with a real use case.
|
||||
|
||||
Also drop systemd-journald-audit.socket, indeed audit-logs-in-journal 'feature'
|
||||
has been removed but the socket was still shipped and was statically
|
||||
enabled. Therefore if auditd service was enabled, incoming messages could be
|
||||
queued up to 128M and were never read (hence freed) by journald.
|
||||
|
||||
[fbui: fixes bsc#984034]
|
||||
[fbui: fixes bsc#1109252]
|
||||
---
|
||||
src/journal/journald-server.c | 4 ++--
|
||||
units/meson.build | 2 --
|
||||
2 files changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
||||
index 5865bf9809..14934080cd 100644
|
||||
--- a/src/journal/journald-server.c
|
||||
+++ b/src/journal/journald-server.c
|
||||
@@ -2384,8 +2384,8 @@ int server_init(Server *s, const char *namespace) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
- /* Unless we got *some* sockets and not audit, open audit socket */
|
||||
- if (s->audit_fd >= 0 || no_sockets) {
|
||||
+ /* Suse: disable audit messages in journal entirely. */
|
||||
+ if (false && no_sockets) {
|
||||
r = server_open_audit(s);
|
||||
if (r < 0)
|
||||
return r;
|
||||
diff --git a/units/meson.build b/units/meson.build
|
||||
index dadc9432ef..a31acd3b05 100644
|
||||
--- a/units/meson.build
|
||||
+++ b/units/meson.build
|
||||
@@ -110,8 +110,6 @@ units = [
|
||||
'sysinit.target.wants/'],
|
||||
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
||||
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
||||
- ['systemd-journald-audit.socket', '',
|
||||
- 'sockets.target.wants/'],
|
||||
['systemd-journald-dev-log.socket', '',
|
||||
'sockets.target.wants/'],
|
||||
['systemd-journald.socket', '',
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 10 12:59:54 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||
|
||||
- Rework how we prevent journald from both enabling auditd and
|
||||
recording audit messages
|
||||
|
||||
journald.conf gained a new setting Audit= to control whether
|
||||
journald enables audit during the boot process. So let's use it and
|
||||
make sure it's disabled by default by shipping a drop-in that
|
||||
overrides upstream default.
|
||||
|
||||
Also we used to patch systemd to prevent journald from reading the
|
||||
audit messages. There's still no way for downstream to configure
|
||||
that properly (we would need to mask systemd-journald-audit.socket
|
||||
meaning shipping a symlink in /etc) but I think dropping
|
||||
systemd-journald-audit.socket from the package is a nicer way to do
|
||||
that as some users might choose to reenable this setting (by
|
||||
reintroducing the socket unit in /etc).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||
|
||||
|
||||
@ -173,7 +173,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch
|
||||
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
|
||||
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
|
||||
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
|
||||
Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch
|
||||
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
||||
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
||||
|
||||
@ -798,6 +797,19 @@ fi
|
||||
# which may still be used by yast.
|
||||
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
|
||||
|
||||
# Create a drop-in to prevent journald from starting auditd during
|
||||
# boot (bsc#984034).
|
||||
mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d
|
||||
cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf <<EOF
|
||||
[Journal]
|
||||
Audit=no
|
||||
EOF
|
||||
|
||||
# Don't ship systemd-journald-audit.socket as there's no other way for
|
||||
# us to prevent journald from recording audit messages in the journal
|
||||
# by default (bsc#1109252).
|
||||
rm -f %{buildroot}%{_unitdir}/systemd-journald-audit.socket
|
||||
|
||||
%if ! 0%{?bootstrap}
|
||||
%find_lang systemd
|
||||
%endif
|
||||
@ -1247,6 +1259,8 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/user.conf
|
||||
|
||||
%{_prefix}/lib/systemd/journald.conf.d/
|
||||
|
||||
%dir %{_datadir}/dbus-1
|
||||
%dir %{_datadir}/dbus-1/services
|
||||
%dir %{_datadir}/dbus-1/system.d
|
||||
|
||||
@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 10 12:59:54 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||
|
||||
- Rework how we prevent journald from both enabling auditd and
|
||||
recording audit messages
|
||||
|
||||
journald.conf gained a new setting Audit= to control whether
|
||||
journald enables audit during the boot process. So let's use it and
|
||||
make sure it's disabled by default by shipping a drop-in that
|
||||
overrides upstream default.
|
||||
|
||||
Also we used to patch systemd to prevent journald from reading the
|
||||
audit messages. There's still no way for downstream to configure
|
||||
that properly (we would need to mask systemd-journald-audit.socket
|
||||
meaning shipping a symlink in /etc) but I think dropping
|
||||
systemd-journald-audit.socket from the package is a nicer way to do
|
||||
that as some users might choose to reenable this setting (by
|
||||
reintroducing the socket unit in /etc).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||
|
||||
|
||||
16
systemd.spec
16
systemd.spec
@ -171,7 +171,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch
|
||||
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
|
||||
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
|
||||
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
|
||||
Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch
|
||||
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
||||
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
||||
|
||||
@ -796,6 +795,19 @@ fi
|
||||
# which may still be used by yast.
|
||||
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
|
||||
|
||||
# Create a drop-in to prevent journald from starting auditd during
|
||||
# boot (bsc#984034).
|
||||
mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d
|
||||
cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf <<EOF
|
||||
[Journal]
|
||||
Audit=no
|
||||
EOF
|
||||
|
||||
# Don't ship systemd-journald-audit.socket as there's no other way for
|
||||
# us to prevent journald from recording audit messages in the journal
|
||||
# by default (bsc#1109252).
|
||||
rm -f %{buildroot}%{_unitdir}/systemd-journald-audit.socket
|
||||
|
||||
%if ! 0%{?bootstrap}
|
||||
%find_lang systemd
|
||||
%endif
|
||||
@ -1245,6 +1257,8 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/user.conf
|
||||
|
||||
%{_prefix}/lib/systemd/journald.conf.d/
|
||||
|
||||
%dir %{_datadir}/dbus-1
|
||||
%dir %{_datadir}/dbus-1/services
|
||||
%dir %{_datadir}/dbus-1/system.d
|
||||
|
||||
Loading…
Reference in New Issue
Block a user