forked from pool/systemd
Accepting request 833500 from home:fbui:systemd:openSUSE-Factory
- Rework how we prevent journald from both enabling auditd and OBS-URL: https://build.opensuse.org/request/show/833500 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1116
This commit is contained in:
parent
b7b0ea0222
commit
9f480b6a46
@ -1,80 +0,0 @@
|
|||||||
From aeb4ca8cf65ee8f22cf7635fea2c501c015fc906 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Franck Bui <fbui@suse.com>
|
|
||||||
Date: Wed, 29 Jun 2016 17:55:35 +0200
|
|
||||||
Subject: [PATCH 10/12] journald: disable audit support completely from the
|
|
||||||
journal
|
|
||||||
|
|
||||||
This patch not only prevents journald to enable audit system
|
|
||||||
unconditionally very early at boot but also prevents it to receive
|
|
||||||
audit messages for the audit netlink and to push them into the
|
|
||||||
journal.
|
|
||||||
|
|
||||||
The first reason is that when journald enables kernel audit, it does
|
|
||||||
not disable syscall audit (it doesn't load the audit rules), which
|
|
||||||
introduced a global performance hit. This can be minimized if audit
|
|
||||||
service is started but that's not the case for all systems.
|
|
||||||
|
|
||||||
The second reason is that for systems where audit was disabled by
|
|
||||||
default they will suddenly have audit enabled (unless audit=0 was
|
|
||||||
already passed to the kernel command line). This means tons of audit
|
|
||||||
messages will be sent to dmesg, syslog, journal files, etc...
|
|
||||||
|
|
||||||
Note also that audit messages are duplicated in the journal since they
|
|
||||||
are received both from kmsg and from the audit netlink. A related bug
|
|
||||||
report can be found here:
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1160046.
|
|
||||||
|
|
||||||
This basically reverts the following upstream commits:
|
|
||||||
|
|
||||||
- 875c2e220e2611165e09051c4747971811f1de58
|
|
||||||
- 4d9ced9956755901238fede6fc5a3d7e4e816aa6
|
|
||||||
|
|
||||||
Upstream issue:
|
|
||||||
https://github.com/systemd/systemd/issues/959
|
|
||||||
|
|
||||||
So disable all of this for now until a better option is found or
|
|
||||||
someone comes up with a real use case.
|
|
||||||
|
|
||||||
Also drop systemd-journald-audit.socket, indeed audit-logs-in-journal 'feature'
|
|
||||||
has been removed but the socket was still shipped and was statically
|
|
||||||
enabled. Therefore if auditd service was enabled, incoming messages could be
|
|
||||||
queued up to 128M and were never read (hence freed) by journald.
|
|
||||||
|
|
||||||
[fbui: fixes bsc#984034]
|
|
||||||
[fbui: fixes bsc#1109252]
|
|
||||||
---
|
|
||||||
src/journal/journald-server.c | 4 ++--
|
|
||||||
units/meson.build | 2 --
|
|
||||||
2 files changed, 2 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
|
||||||
index 5865bf9809..14934080cd 100644
|
|
||||||
--- a/src/journal/journald-server.c
|
|
||||||
+++ b/src/journal/journald-server.c
|
|
||||||
@@ -2384,8 +2384,8 @@ int server_init(Server *s, const char *namespace) {
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
- /* Unless we got *some* sockets and not audit, open audit socket */
|
|
||||||
- if (s->audit_fd >= 0 || no_sockets) {
|
|
||||||
+ /* Suse: disable audit messages in journal entirely. */
|
|
||||||
+ if (false && no_sockets) {
|
|
||||||
r = server_open_audit(s);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
diff --git a/units/meson.build b/units/meson.build
|
|
||||||
index dadc9432ef..a31acd3b05 100644
|
|
||||||
--- a/units/meson.build
|
|
||||||
+++ b/units/meson.build
|
|
||||||
@@ -110,8 +110,6 @@ units = [
|
|
||||||
'sysinit.target.wants/'],
|
|
||||||
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
|
||||||
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
|
||||||
- ['systemd-journald-audit.socket', '',
|
|
||||||
- 'sockets.target.wants/'],
|
|
||||||
['systemd-journald-dev-log.socket', '',
|
|
||||||
'sockets.target.wants/'],
|
|
||||||
['systemd-journald.socket', '',
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 10 12:59:54 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
- Rework how we prevent journald from both enabling auditd and
|
||||||
|
recording audit messages
|
||||||
|
|
||||||
|
journald.conf gained a new setting Audit= to control whether
|
||||||
|
journald enables audit during the boot process. So let's use it and
|
||||||
|
make sure it's disabled by default by shipping a drop-in that
|
||||||
|
overrides upstream default.
|
||||||
|
|
||||||
|
Also we used to patch systemd to prevent journald from reading the
|
||||||
|
audit messages. There's still no way for downstream to configure
|
||||||
|
that properly (we would need to mask systemd-journald-audit.socket
|
||||||
|
meaning shipping a symlink in /etc) but I think dropping
|
||||||
|
systemd-journald-audit.socket from the package is a nicer way to do
|
||||||
|
that as some users might choose to reenable this setting (by
|
||||||
|
reintroducing the socket unit in /etc).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>
|
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
@ -173,7 +173,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch
|
|||||||
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
|
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
|
||||||
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
|
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
|
||||||
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
|
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
|
||||||
Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch
|
|
||||||
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
||||||
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
||||||
|
|
||||||
@ -798,6 +797,19 @@ fi
|
|||||||
# which may still be used by yast.
|
# which may still be used by yast.
|
||||||
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
|
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
|
||||||
|
|
||||||
|
# Create a drop-in to prevent journald from starting auditd during
|
||||||
|
# boot (bsc#984034).
|
||||||
|
mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d
|
||||||
|
cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf <<EOF
|
||||||
|
[Journal]
|
||||||
|
Audit=no
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# Don't ship systemd-journald-audit.socket as there's no other way for
|
||||||
|
# us to prevent journald from recording audit messages in the journal
|
||||||
|
# by default (bsc#1109252).
|
||||||
|
rm -f %{buildroot}%{_unitdir}/systemd-journald-audit.socket
|
||||||
|
|
||||||
%if ! 0%{?bootstrap}
|
%if ! 0%{?bootstrap}
|
||||||
%find_lang systemd
|
%find_lang systemd
|
||||||
%endif
|
%endif
|
||||||
@ -1247,6 +1259,8 @@ fi
|
|||||||
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
|
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
|
||||||
%config(noreplace) %{_sysconfdir}/systemd/user.conf
|
%config(noreplace) %{_sysconfdir}/systemd/user.conf
|
||||||
|
|
||||||
|
%{_prefix}/lib/systemd/journald.conf.d/
|
||||||
|
|
||||||
%dir %{_datadir}/dbus-1
|
%dir %{_datadir}/dbus-1
|
||||||
%dir %{_datadir}/dbus-1/services
|
%dir %{_datadir}/dbus-1/services
|
||||||
%dir %{_datadir}/dbus-1/system.d
|
%dir %{_datadir}/dbus-1/system.d
|
||||||
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 10 12:59:54 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
- Rework how we prevent journald from both enabling auditd and
|
||||||
|
recording audit messages
|
||||||
|
|
||||||
|
journald.conf gained a new setting Audit= to control whether
|
||||||
|
journald enables audit during the boot process. So let's use it and
|
||||||
|
make sure it's disabled by default by shipping a drop-in that
|
||||||
|
overrides upstream default.
|
||||||
|
|
||||||
|
Also we used to patch systemd to prevent journald from reading the
|
||||||
|
audit messages. There's still no way for downstream to configure
|
||||||
|
that properly (we would need to mask systemd-journald-audit.socket
|
||||||
|
meaning shipping a symlink in /etc) but I think dropping
|
||||||
|
systemd-journald-audit.socket from the package is a nicer way to do
|
||||||
|
that as some users might choose to reenable this setting (by
|
||||||
|
reintroducing the socket unit in /etc).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>
|
Thu Sep 10 09:02:13 UTC 2020 - Franck Bui <fbui@suse.com>
|
||||||
|
|
||||||
|
16
systemd.spec
16
systemd.spec
@ -171,7 +171,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch
|
|||||||
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
|
Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch
|
||||||
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
|
Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
|
||||||
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
|
Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch
|
||||||
Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch
|
|
||||||
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch
|
||||||
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
||||||
|
|
||||||
@ -796,6 +795,19 @@ fi
|
|||||||
# which may still be used by yast.
|
# which may still be used by yast.
|
||||||
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
|
cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map
|
||||||
|
|
||||||
|
# Create a drop-in to prevent journald from starting auditd during
|
||||||
|
# boot (bsc#984034).
|
||||||
|
mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d
|
||||||
|
cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf <<EOF
|
||||||
|
[Journal]
|
||||||
|
Audit=no
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# Don't ship systemd-journald-audit.socket as there's no other way for
|
||||||
|
# us to prevent journald from recording audit messages in the journal
|
||||||
|
# by default (bsc#1109252).
|
||||||
|
rm -f %{buildroot}%{_unitdir}/systemd-journald-audit.socket
|
||||||
|
|
||||||
%if ! 0%{?bootstrap}
|
%if ! 0%{?bootstrap}
|
||||||
%find_lang systemd
|
%find_lang systemd
|
||||||
%endif
|
%endif
|
||||||
@ -1245,6 +1257,8 @@ fi
|
|||||||
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
|
%config(noreplace) %{_sysconfdir}/systemd/timesyncd.conf
|
||||||
%config(noreplace) %{_sysconfdir}/systemd/user.conf
|
%config(noreplace) %{_sysconfdir}/systemd/user.conf
|
||||||
|
|
||||||
|
%{_prefix}/lib/systemd/journald.conf.d/
|
||||||
|
|
||||||
%dir %{_datadir}/dbus-1
|
%dir %{_datadir}/dbus-1
|
||||||
%dir %{_datadir}/dbus-1/services
|
%dir %{_datadir}/dbus-1/services
|
||||||
%dir %{_datadir}/dbus-1/system.d
|
%dir %{_datadir}/dbus-1/system.d
|
||||||
|
Loading…
Reference in New Issue
Block a user