SHA256
1
0
forked from pool/systemd
systemd/0010-journald-disable-audit-support-completely-from-the-j.patch
Franck Bui d011d97abb Accepting request 832016 from home:fbui:systemd:openSUSE-Factory
- Upgrade to v246.4 (commit f1344d5b7f31e98aedb01e606f41d74d3caaf446)
  See https://github.com/openSUSE/systemd/blob/SUSE/v246/NEWS for
  details. 
  Now that the number of SUSE specific patches has been shrinked and
  is pretty low (12 at the time of this writing), they are no more
  tracked by the git repo and are now handled at the package
  level. Hence It is easier to maintain and identify them. This
  effectively means that SUSE/v246 will contain upstream commits only.

OBS-URL: https://build.opensuse.org/request/show/832016
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1113
2020-09-04 06:47:46 +00:00

81 lines
3.1 KiB
Diff

From aeb4ca8cf65ee8f22cf7635fea2c501c015fc906 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Wed, 29 Jun 2016 17:55:35 +0200
Subject: [PATCH 10/12] journald: disable audit support completely from the
journal
This patch not only prevents journald to enable audit system
unconditionally very early at boot but also prevents it to receive
audit messages for the audit netlink and to push them into the
journal.
The first reason is that when journald enables kernel audit, it does
not disable syscall audit (it doesn't load the audit rules), which
introduced a global performance hit. This can be minimized if audit
service is started but that's not the case for all systems.
The second reason is that for systems where audit was disabled by
default they will suddenly have audit enabled (unless audit=0 was
already passed to the kernel command line). This means tons of audit
messages will be sent to dmesg, syslog, journal files, etc...
Note also that audit messages are duplicated in the journal since they
are received both from kmsg and from the audit netlink. A related bug
report can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=1160046.
This basically reverts the following upstream commits:
- 875c2e220e2611165e09051c4747971811f1de58
- 4d9ced9956755901238fede6fc5a3d7e4e816aa6
Upstream issue:
https://github.com/systemd/systemd/issues/959
So disable all of this for now until a better option is found or
someone comes up with a real use case.
Also drop systemd-journald-audit.socket, indeed audit-logs-in-journal 'feature'
has been removed but the socket was still shipped and was statically
enabled. Therefore if auditd service was enabled, incoming messages could be
queued up to 128M and were never read (hence freed) by journald.
[fbui: fixes bsc#984034]
[fbui: fixes bsc#1109252]
---
src/journal/journald-server.c | 4 ++--
units/meson.build | 2 --
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 5865bf9809..14934080cd 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2384,8 +2384,8 @@ int server_init(Server *s, const char *namespace) {
if (r < 0)
return r;
- /* Unless we got *some* sockets and not audit, open audit socket */
- if (s->audit_fd >= 0 || no_sockets) {
+ /* Suse: disable audit messages in journal entirely. */
+ if (false && no_sockets) {
r = server_open_audit(s);
if (r < 0)
return r;
diff --git a/units/meson.build b/units/meson.build
index dadc9432ef..a31acd3b05 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -110,8 +110,6 @@ units = [
'sysinit.target.wants/'],
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
- ['systemd-journald-audit.socket', '',
- 'sockets.target.wants/'],
['systemd-journald-dev-log.socket', '',
'sockets.target.wants/'],
['systemd-journald.socket', '',
--
2.26.2