movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

nixos/systemd: unconditional systemd-journald-audit.socket (#408085)

Browse source
This commit is contained in:
Arian van Putten 2025-05-20 15:29:53 +02:00 committed by GitHub
commit 4df0b7d8ca
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 35 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

29
nixos/modules/system/boot/systemd/journald.nix
View file

@ -116,22 +116,19 @@ in
}; };
config = { config = {
systemd.additionalUpstreamSystemUnits = systemd.additionalUpstreamSystemUnits = [
[ "systemd-journald.socket"
"systemd-journald.socket" "systemd-journald@.socket"
"systemd-journald@.socket" "systemd-journald-varlink@.socket"
"systemd-journald-varlink@.socket" "systemd-journald.service"
"systemd-journald.service" "systemd-journald@.service"
"systemd-journald@.service" "systemd-journal-flush.service"
"systemd-journal-flush.service" "systemd-journal-catalog-update.service"
"systemd-journal-catalog-update.service" "systemd-journald-sync@.service"
"systemd-journald-sync@.service" "systemd-journald-audit.socket"
] "systemd-journald-dev-log.socket"
++ (lib.optional (!config.boot.isContainer) "systemd-journald-audit.socket") "syslog.socket"
++ [ ];
"systemd-journald-dev-log.socket"
"syslog.socket"
];
systemd.sockets.systemd-journald-audit.wantedBy = [ systemd.sockets.systemd-journald-audit.wantedBy = [
"systemd-journald.service" "systemd-journald.service"

22
nixos/tests/systemd-journal.nix
View file

@ -12,11 +12,23 @@ import ./make-test-python.nix (
}; };
nodes.auditd = { nodes.auditd = {
security.auditd.enable = true; security.auditd.enable = true;
security.audit.enable = true;
environment.systemPackages = [ pkgs.audit ]; environment.systemPackages = [ pkgs.audit ];
boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
boot.kernelParams = [ "audit_backlog_limit=8192" ];
}; };
nodes.journaldAudit = { nodes.journaldAudit = {
services.journald.audit = true; services.journald.audit = true;
security.audit.enable = true;
environment.systemPackages = [ pkgs.audit ]; environment.systemPackages = [ pkgs.audit ];
boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
boot.kernelParams = [ "audit_backlog_limit=8192" ];
};
nodes.containerCheck = {
containers.c1 = {
autoStart = true;
config = { };
};
}; };
testScript = '' testScript = ''
@ -50,6 +62,16 @@ import ./make-test-python.nix (
# logs ideally should NOT end up in kmesg, but they do due to # logs ideally should NOT end up in kmesg, but they do due to
# https://github.com/systemd/systemd/issues/15324 # https://github.com/systemd/systemd/issues/15324
journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
with subtest("container systemd-journald-audit not running"):
containerCheck.wait_for_unit("multi-user.target");
containerCheck.wait_until_succeeds("systemctl -M c1 is-active default.target");
# systemd-journald-audit.socket should exist but not run due to the upstream unit's `Condition*` settings
(status, output) = containerCheck.execute("systemctl -M c1 is-active systemd-journald-audit.socket")
containerCheck.log(output)
assert status == 3 and output == "inactive\n", f"systemd-journald-audit.socket should exist in a container but remain inactive, was {output}"
''; '';
} }
) )