journal: fix two recent regressions in config handling (#39069)

Fixes #39046. Fixes #39057.
2026-04-14 08:25:20 +09:00 · 2025-09-23 02:43:03 +09:00
parent f784a63cfa b5fdfedf72
commit 6c3c7a8bb7
7 changed files with 40 additions and 12 deletions
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -478,11 +478,14 @@
      <varlistentry>
        <term><varname>Audit=</varname></term>

-        <listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on
-        kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
-        disable it, leaving the previous state unchanged.  This means if another tool turns on auditing even
-        if <command>systemd-journald</command> left it off, it will still collect the generated
-        messages. Defaults to on in the default journal namespace, and unset otherwise.</para>
+        <listitem><para>Takes a boolean value or special value <literal>keep</literal>. If enabled
+        <command>systemd-journald</command> will turn on kernel auditing on start-up. If disabled it will
+        turn it off. When <literal>keep</literal> it will neither enable nor disable it, leaving the previous
+        state unchanged. This means if another tool turns on auditing even if
+        <command>systemd-journald</command> left it off, it will still collect the generated messages.
+        Defaults to yes in the default journal namespace, and <literal>keep</literal> otherwise.</para>
+
+        <!-- Explicit assignment of an empty string is equivalent to 'keep', for backward compatibility. -->

        <para>Note that this option does not control whether <command>systemd-journald</command> collects
        generated audit records, it just controls whether it tells the kernel to generate them. If you need
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -465,10 +465,14 @@ static int manager_set_kernel_audit(Manager *m) {

        assert(m);
        assert(m->audit_fd >= 0);
+        assert(m->config.set_audit >= 0);

-        if (m->config.set_audit < 0)
+        if (m->config.set_audit == AUDIT_KEEP)
                return 0;

+        /* In the following, we can handle 'set_audit' as a boolean. */
+        assert(IN_SET(m->config.set_audit, AUDIT_NO, AUDIT_YES));
+
        struct {
                union {
                        struct nlmsghdr header;
@@ -557,7 +561,7 @@ int manager_open_audit(Manager *m) {
        return 0;
 }

-void manager_reset_kernel_audit(Manager *m, int old_set_audit) {
+void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit) {
        assert(m);

        if (m->audit_fd < 0)
--- a/src/journal/journald-audit.h
+++ b/src/journal/journald-audit.h
@@ -10,4 +10,4 @@ void manager_process_audit_message(Manager *m, const void *buffer, size_t buffer
 void process_audit_string(Manager *m, int type, const char *data, size_t size);

 int manager_open_audit(Manager *m);
-void manager_reset_kernel_audit(Manager *m, int old_set_audit);
+void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit);
--- a/src/journal/journald-config.c
+++ b/src/journal/journald-config.c
@@ -46,7 +46,7 @@ void journal_config_set_defaults(JournalConfig *c) {
                .compress.threshold_bytes = UINT64_MAX,
                .seal = -1,
                .read_kmsg = -1,
-                .set_audit = -1,
+                .set_audit = _AUDIT_SET_MODE_INVALID,
                .ratelimit_interval = DEFAULT_RATE_LIMIT_INTERVAL,
                .ratelimit_burst = DEFAULT_RATE_LIMIT_BURST,
                .forward_to_syslog = -1,
@@ -59,6 +59,7 @@ void journal_config_set_defaults(JournalConfig *c) {
                .max_level_console = -1,
                .max_level_wall = -1,
                .max_level_socket = -1,
+                .split_mode = _SPLIT_INVALID,
        };

        journal_reset_metrics(&c->system_storage_metrics);
@@ -122,7 +123,7 @@ void manager_merge_configs(Manager *m) {
        MERGE_NON_NEGATIVE(read_kmsg, !m->namespace);
        /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by
         * non-default namespace instances. */
-        MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true);
+        MERGE_NON_NEGATIVE(set_audit, m->namespace ? AUDIT_KEEP : AUDIT_YES);
        MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC);

        /* TODO: also merge them when comdline or credentials support to configure them. */
@@ -401,6 +402,16 @@ static const char* const split_mode_table[_SPLIT_MAX] = {
 DEFINE_STRING_TABLE_LOOKUP(split_mode, SplitMode);
 DEFINE_CONFIG_PARSE_ENUM(config_parse_split_mode, split_mode, SplitMode);

+static const char* const audit_set_mode_table[_AUDIT_SET_MODE_MAX] = {
+        [AUDIT_NO]   = "no",
+        [AUDIT_YES]  = "yes",
+        [AUDIT_KEEP] = "keep",
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(audit_set_mode, AuditSetMode, AUDIT_YES);
+/* For backward compatibility, an empty string has special meaning and equals to 'keep'. */
+DEFINE_CONFIG_PARSE_ENUM_WITH_DEFAULT(config_parse_audit_set_mode, audit_set_mode, AuditSetMode, AUDIT_KEEP);
+
 int config_parse_line_max(
                const char *unit,
                const char *filename,
--- a/src/journal/journald-config.h
+++ b/src/journal/journald-config.h
@@ -27,6 +27,14 @@ typedef struct JournalCompressOptions {
        uint64_t threshold_bytes;
 } JournalCompressOptions;

+typedef enum AuditSetMode {
+        AUDIT_NO = 0, /* Disables the kernel audit subsystem on start. */
+        AUDIT_YES,    /* Enables the kernel audit subsystem on start. */
+        AUDIT_KEEP,   /* Keep the current kernel audit subsystem state. */
+        _AUDIT_SET_MODE_MAX,
+        _AUDIT_SET_MODE_INVALID = -EINVAL,
+} AuditSetMode;
+
 typedef struct JournalConfig {
        /* Storage=, cred: journal.storage */
        Storage storage;
@@ -37,7 +45,7 @@ typedef struct JournalConfig {
        /* ReadKMsg= */
        int read_kmsg;
        /* Audit= */
-        int set_audit;
+        AuditSetMode set_audit;
        /* SyncIntervalSec= */
        usec_t sync_interval_usec;
        /* RateLimitIntervalSec= */
@@ -102,3 +110,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_line_max);
 CONFIG_PARSER_PROTOTYPE(config_parse_compress);
 CONFIG_PARSER_PROTOTYPE(config_parse_forward_to_socket);
 CONFIG_PARSER_PROTOTYPE(config_parse_split_mode);
+CONFIG_PARSER_PROTOTYPE(config_parse_audit_set_mode);
--- a/src/journal/journald-forward.h
+++ b/src/journal/journald-forward.h
@@ -6,6 +6,7 @@

 typedef enum Storage Storage;
 typedef enum SplitMode SplitMode;
+typedef enum AuditSetMode AuditSetMode;
 typedef struct JournalCompressOptions JournalCompressOptions;
 typedef struct JournalConfig JournalConfig;

--- a/src/journal/journald-gperf.gperf
+++ b/src/journal/journald-gperf.gperf
@@ -23,7 +23,7 @@ Journal.Storage,              config_parse_storage,           0, offsetof(Journa
 Journal.Compress,             config_parse_compress,          0, offsetof(JournalConfig, compress)
 Journal.Seal,                 config_parse_tristate,          0, offsetof(JournalConfig, seal)
 Journal.ReadKMsg,             config_parse_tristate,          0, offsetof(JournalConfig, read_kmsg)
-Journal.Audit,                config_parse_tristate,          0, offsetof(JournalConfig, set_audit)
+Journal.Audit,                config_parse_audit_set_mode,    0, offsetof(JournalConfig, set_audit)
 Journal.SyncIntervalSec,      config_parse_sec,               0, offsetof(JournalConfig, sync_interval_usec)
 # The following is a legacy name for compatibility
 Journal.RateLimitInterval,    config_parse_sec,               0, offsetof(JournalConfig, ratelimit_interval)