d011d97abb
- Upgrade to v246.4 (commit f1344d5b7f31e98aedb01e606f41d74d3caaf446) See https://github.com/openSUSE/systemd/blob/SUSE/v246/NEWS for details. Now that the number of SUSE specific patches has been shrinked and is pretty low (12 at the time of this writing), they are no more tracked by the git repo and are now handled at the package level. Hence It is easier to maintain and identify them. This effectively means that SUSE/v246 will contain upstream commits only. OBS-URL: https://build.opensuse.org/request/show/832016 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1113
81 lines
3.1 KiB
Diff
81 lines
3.1 KiB
Diff
From aeb4ca8cf65ee8f22cf7635fea2c501c015fc906 Mon Sep 17 00:00:00 2001
|
|
From: Franck Bui <fbui@suse.com>
|
|
Date: Wed, 29 Jun 2016 17:55:35 +0200
|
|
Subject: [PATCH 10/12] journald: disable audit support completely from the
|
|
journal
|
|
|
|
This patch not only prevents journald to enable audit system
|
|
unconditionally very early at boot but also prevents it to receive
|
|
audit messages for the audit netlink and to push them into the
|
|
journal.
|
|
|
|
The first reason is that when journald enables kernel audit, it does
|
|
not disable syscall audit (it doesn't load the audit rules), which
|
|
introduced a global performance hit. This can be minimized if audit
|
|
service is started but that's not the case for all systems.
|
|
|
|
The second reason is that for systems where audit was disabled by
|
|
default they will suddenly have audit enabled (unless audit=0 was
|
|
already passed to the kernel command line). This means tons of audit
|
|
messages will be sent to dmesg, syslog, journal files, etc...
|
|
|
|
Note also that audit messages are duplicated in the journal since they
|
|
are received both from kmsg and from the audit netlink. A related bug
|
|
report can be found here:
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1160046.
|
|
|
|
This basically reverts the following upstream commits:
|
|
|
|
- 875c2e220e2611165e09051c4747971811f1de58
|
|
- 4d9ced9956755901238fede6fc5a3d7e4e816aa6
|
|
|
|
Upstream issue:
|
|
https://github.com/systemd/systemd/issues/959
|
|
|
|
So disable all of this for now until a better option is found or
|
|
someone comes up with a real use case.
|
|
|
|
Also drop systemd-journald-audit.socket, indeed audit-logs-in-journal 'feature'
|
|
has been removed but the socket was still shipped and was statically
|
|
enabled. Therefore if auditd service was enabled, incoming messages could be
|
|
queued up to 128M and were never read (hence freed) by journald.
|
|
|
|
[fbui: fixes bsc#984034]
|
|
[fbui: fixes bsc#1109252]
|
|
---
|
|
src/journal/journald-server.c | 4 ++--
|
|
units/meson.build | 2 --
|
|
2 files changed, 2 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
|
index 5865bf9809..14934080cd 100644
|
|
--- a/src/journal/journald-server.c
|
|
+++ b/src/journal/journald-server.c
|
|
@@ -2384,8 +2384,8 @@ int server_init(Server *s, const char *namespace) {
|
|
if (r < 0)
|
|
return r;
|
|
|
|
- /* Unless we got *some* sockets and not audit, open audit socket */
|
|
- if (s->audit_fd >= 0 || no_sockets) {
|
|
+ /* Suse: disable audit messages in journal entirely. */
|
|
+ if (false && no_sockets) {
|
|
r = server_open_audit(s);
|
|
if (r < 0)
|
|
return r;
|
|
diff --git a/units/meson.build b/units/meson.build
|
|
index dadc9432ef..a31acd3b05 100644
|
|
--- a/units/meson.build
|
|
+++ b/units/meson.build
|
|
@@ -110,8 +110,6 @@ units = [
|
|
'sysinit.target.wants/'],
|
|
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
|
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
|
- ['systemd-journald-audit.socket', '',
|
|
- 'sockets.target.wants/'],
|
|
['systemd-journald-dev-log.socket', '',
|
|
'sockets.target.wants/'],
|
|
['systemd-journald.socket', '',
|
|
--
|
|
2.26.2
|
|
|