Adds a check to audit-fd.c to ensure that CAP_AUDIT_WRITE is present in
the set of effective capabilities before opening an audit netlink
socket. This ensures that unprivileged systemd instances (MANAGER_USER)
don't try to log AVC permission checks with the audit subsystem when
CAP_AUDIT_WRITE is not present.
#include <libaudit.h>
#include <stdbool.h>
+#include "capability-util.h"
#include "fd-util.h"
#include "log.h"
#include "util.h"
int get_audit_fd(void) {
if (!initialized) {
+ if (have_effective_cap(CAP_AUDIT_WRITE) == 0) {
+ audit_fd = -EPERM;
+ initialized = true;
+
+ return audit_fd;
+ }
+
audit_fd = audit_open();
if (audit_fd < 0) {