[systemd-commits] 2 commits - TODO man/systemd.journal-fields.xml src/journal src/shared

[Lennart Poettering]

 TODO                           |    6 ++++--
 man/systemd.journal-fields.xml |    9 +++++++++
 src/journal/journald-server.c  |    7 +++++++
 src/shared/util.c              |   34 ++++++++++++++++++++++++++++++++++
 src/shared/util.h              |    1 +
 5 files changed, 55 insertions(+), 2 deletions(-)

New commits:
commit 3a83211689bdf4ab617a4fb79e11980c50918123
Author: Shawn Landden <shawnlandden at gmail.com>
Date:   Mon Jul 15 18:10:56 2013 -0700

    journal: add logging of effective capabilities _CAP_EFFECTIVE
    
    I think this is the most important of the capabilities bitmasks to log.

diff --git a/TODO b/TODO
index 08626ec..3621ce3 100644
--- a/TODO
+++ b/TODO
@@ -220,8 +220,6 @@ Features:
 
 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
 
-* we should log capabilities too
-
 * Support SO_REUSEPORT with socket activation:
   - Let systemd maintain a pool of servers.
   - Use for seamless upgrades, by running the new server before stopping the
diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml
index ed62edc..452406c 100644
--- a/man/systemd.journal-fields.xml
+++ b/man/systemd.journal-fields.xml
@@ -197,6 +197,15 @@
                         </varlistentry>
 
                         <varlistentry>
+                                <term><varname>_CAP_EFFECTIVE=</varname></term>
+                                <listitem>
+                                        <para>The effective <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> of
+                                        the process the journal entry
+                                        originates from.</para>
+                                </listitem>
+                        </varlistentry>
+
+                        <varlistentry>
                                 <term><varname>_AUDIT_SESSION=</varname></term>
                                 <term><varname>_AUDIT_LOGINUID=</varname></term>
                                 <listitem>
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 6beaa8a..332ba41 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -578,6 +578,13 @@ static void dispatch_message_real(
                         IOVEC_SET_STRING(iovec[n++], x);
                 }
 
+                r = get_process_capeff(ucred->pid, &t);
+                if (r >= 0) {
+                        x = strappenda("_CAP_EFFECTIVE=", t);
+                        free(t);
+                        IOVEC_SET_STRING(iovec[n++], x);
+                }
+
 #ifdef HAVE_AUDIT
                 r = audit_session_from_pid(ucred->pid, &audit);
                 if (r >= 0) {
diff --git a/src/shared/util.c b/src/shared/util.c
index 5c7204a..19ca8ad 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -726,6 +726,40 @@ int is_kernel_thread(pid_t pid) {
         return 0;
 }
 
+int get_process_capeff(pid_t pid, char **capeff) {
+        const char *p;
+        _cleanup_free_ char *status = NULL;
+        char *t = NULL;
+        int r;
+
+        assert(capeff);
+        assert(pid >= 0);
+
+        if (pid == 0)
+                p = "/proc/self/status";
+        else
+                p = procfs_file_alloca(pid, "status");
+
+        r = read_full_file(p, &status, NULL);
+        if (r < 0)
+                return r;
+
+        t = strstr(status, "\nCapEff:\t");
+        if (!t)
+                return -ENOENT;
+
+        for (t += strlen("\nCapEff:\t"); t[0] == '0'; t++)
+                continue;
+
+        if (t[0] == '\n')
+                t--;
+
+        *capeff = strndup(t, strchr(t, '\n') - t);
+        if (!*capeff)
+                return -ENOMEM;
+
+        return 0;
+}
 
 int get_process_exe(pid_t pid, char **name) {
         const char *p;
diff --git a/src/shared/util.h b/src/shared/util.h
index ddb21b4..fac08ca 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
 int get_process_exe(pid_t pid, char **name);
 int get_process_uid(pid_t pid, uid_t *uid);
 int get_process_gid(pid_t pid, gid_t *gid);
+int get_process_capeff(pid_t pid, char **capeff);
 
 char hexchar(int x) _const_;
 int unhexchar(char c) _const_;

commit fa7deadb074dfbe473cf3bd942768dbd94cbf7c3
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Jul 16 03:30:45 2013 +0200

    update TODO

diff --git a/TODO b/TODO
index 3fa384c..08626ec 100644
--- a/TODO
+++ b/TODO
@@ -56,6 +56,10 @@ CGroup Rework Completion:
 
 Features:
 
+* when parsing calendar timestamps support the UTC timezone (even if we won't support arbitrary timezone specs, support UTC itself certainly makes sense)
+
+* when a kernel driver logs in a tight loop we should ratelimit that too.
+
 * journald: optionally, when messages with a high log prioerity are logged, sync() immeidately.
 
 * introduce %v resolving to the string returned by "uname -r"