journal: give the ability to enable/disable systemd-journald-audit.socket

Before this patch the only way to prevent journald from reading the audit
messages was to mask systemd-journald-audit.socket. However this had main
drawback that downstream couldn't ship the socket disabled by default (beside
the fact that masking units is not supposed to be the usual way to disable
them).

Fixes #15777

units/meson.build

@@ -123,8 +123,7 @@ units = [
          'sysinit.target.wants/'],
         ['systemd-journal-gatewayd.socket',     'ENABLE_REMOTE HAVE_MICROHTTPD'],
         ['systemd-journal-remote.socket',       'ENABLE_REMOTE HAVE_MICROHTTPD'],
-        ['systemd-journald-audit.socket',       '',
-         'sockets.target.wants/'],
+        ['systemd-journald-audit.socket',       ''],
         ['systemd-journald-dev-log.socket',     '',
          'sockets.target.wants/'],
         ['systemd-journald.socket',             '',

units/systemd-journald-audit.socket

@@ -20,3 +20,7 @@ Service=systemd-journald.service
 ReceiveBuffer=128M
 ListenNetlink=audit 1
 PassCredentials=yes
+
+[Install]
+WantedBy=sockets.target
+WantedBy=systemd-journald.service

units/systemd-journald.service.in

@@ -38,7 +38,10 @@ RestrictRealtime=yes
 RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/journal
 RuntimeDirectoryPreserve=yes
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+# Audit socket is not listed here because this unit can be turned off. However
+# the link between the socket and the service units is still created thanks to
+# the 'Service=' setting specified in the socket unit.
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket
 StandardOutput=null
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM