journal: set secure deletion flags for FSS file

diff --git a/TODO b/TODO
index 102a813..875a3db 100644 (file)
--- a/TODO
+++ b/TODO
@@ -49,6 +49,8 @@ Bugfixes:
 
 Features:
 
+* man: document in ExecStart= explicitly that we don't take shell command lines, only executable names with arguments
+
 * shutdown: don't read-only mount anything when running in container
 
 * nspawn: --read-only is not applied recursively to submounts

diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index 5c21ab0..25f41f6 100644 (file)
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -30,6 +30,8 @@
 #include <time.h>
 #include <getopt.h>
 #include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <linux/fs.h>
 
 #include <systemd/sd-journal.h>
 
@@ -453,7 +455,7 @@ static int setup_keys(void) {
         size_t mpk_size, seed_size, state_size, i;
         uint8_t *mpk, *seed, *state;
         ssize_t l;
-        int fd = -1, r;
+        int fd = -1, r, attr = 0;
         sd_id128_t machine, boot;
         char *p = NULL, *k = NULL;
         struct FSSHeader h;
@@ -530,6 +532,16 @@ static int setup_keys(void) {
                 goto finish;
         }
 
+        /* Enable secure remove, exclusion from dump, synchronous
+         * writing and in-place updating */
+        if (ioctl(fd, FS_IOC_GETFLAGS, &attr) < 0)
+                log_warning("FS_IOC_GETFLAGS failed: %m");
+
+        attr |= FS_SECRM_FL|FS_NODUMP_FL|FS_SYNC_FL|FS_NOCOW_FL;
+
+        if (ioctl(fd, FS_IOC_SETFLAGS, &attr) < 0)
+                log_warning("FS_IOC_SETFLAGS failed: %m");
+
         zero(h);
         memcpy(h.signature, "KSHHRHLP", 8);
         h.machine_id = machine;