journal: give the ability to enable/disable systemd-journald-audit.socket

Before this patch the only way to prevent journald from reading the audit
messages was to mask systemd-journald-audit.socket. However this had main
drawback that downstream couldn't ship the socket disabled by default (beside
the fact that masking units is not supposed to be the usual way to disable
them).

Fixes #15777

7 files changed, 28 insertions, 11 deletions

diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index 24cee4c8b2..50c33e4792 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -423,13 +423,18 @@
       <varlistentry>
         <term><varname>Audit=</varname></term>
 
-        <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+        <listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on
         kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
-        disable it, leaving the previous state unchanged. Note that this option does not control whether
-        <command>systemd-journald</command> collects generated audit records, it just controls whether it
-        tells the kernel to generate them. This means if another tool turns on auditing even if
-        <command>systemd-journald</command> left it off, it will still collect the generated
-        messages. Defaults to on.</para></listitem>
+        disable it, leaving the previous state unchanged.  This means if another tool turns on auditing even
+        if <command>systemd-journald</command> left it off, it will still collect the generated
+        messages. Defaults to on.</para>
+
+        <para>Note that this option does not control whether <command>systemd-journald</command> collects
+        generated audit records, it just controls whether it tells the kernel to generate them. If you need
+        to prevent <command>systemd-journald</command> from collecting the generated messages, the socket
+        unit <literal>systemd-journald-audit.socket</literal> can be disabled and in this case this setting
+        is without effect.</para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml
index 8fa864473d..6b0fb3137c 100644
--- a/man/systemd-journald.service.xml
+++ b/man/systemd-journald.service.xml
@@ -332,7 +332,9 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
         <listitem><para>Sockets and other file node paths that <command>systemd-journald</command> will
         listen on and are visible in the file system. In addition to these,
         <command>systemd-journald</command> can listen for audit events using <citerefentry
-        project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
+        project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+        depending on whether <literal>systemd-journald-audit.socket</literal> is enabled or
+        not.</para></listitem>
       </varlistentry>
     </variablelist>
 
diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
index 25936d8f57..2b8db9d476 100644
--- a/presets/90-systemd.preset
+++ b/presets/90-systemd.preset
@@ -24,6 +24,7 @@ enable systemd-homed.service
 enable systemd-userdbd.socket
 enable systemd-pstore.service
 enable systemd-boot-update.service
+enable systemd-journald-audit.socket
 
 disable console-getty.service
 disable debug-shell.service
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index b59f42c4b8..c1fc5a8da9 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2504,10 +2504,13 @@ int server_init(Server *s, const char *namespace) {
 
         /* Unless we got *some* sockets and not audit, open audit socket */
         if (s->audit_fd >= 0 || no_sockets) {
+                log_info("Collecting audit messages is enabled.");
+
                 r = server_open_audit(s);
                 if (r < 0)
                         return r;
-        }
+        } else
+                log_info("Collecting audit messages is disabled.");
 
         r = server_open_varlink(s, varlink_socket, varlink_fd);
         if (r < 0)
diff --git a/units/meson.build b/units/meson.build
index 79e2935a50..69197f0c47 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -123,8 +123,7 @@ units = [
          'sysinit.target.wants/'],
         ['systemd-journal-gatewayd.socket',     'ENABLE_REMOTE HAVE_MICROHTTPD'],
         ['systemd-journal-remote.socket',       'ENABLE_REMOTE HAVE_MICROHTTPD'],
-        ['systemd-journald-audit.socket',       '',
-         'sockets.target.wants/'],
+        ['systemd-journald-audit.socket',       ''],
         ['systemd-journald-dev-log.socket',     '',
          'sockets.target.wants/'],
         ['systemd-journald.socket',             '',
diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket
index f0c0aebc86..cf9b6e8b84 100644
--- a/units/systemd-journald-audit.socket
+++ b/units/systemd-journald-audit.socket
@@ -20,3 +20,7 @@ Service=systemd-journald.service
 ReceiveBuffer=128M
 ListenNetlink=audit 1
 PassCredentials=yes
+
+[Install]
+WantedBy=sockets.target
+WantedBy=systemd-journald.service
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 38ba3e2856..ece872c770 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -38,7 +38,10 @@ RestrictRealtime=yes
 RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/journal
 RuntimeDirectoryPreserve=yes
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+# Audit socket is not listed here because this unit can be turned off. However
+# the link between the socket and the service units is still created thanks to
+# the 'Service=' setting specified in the socket unit.
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket
 StandardOutput=null
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM