[systemd-commits] 9 commits - src/core src/journal src/shared src/update-utmp
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Nov 3 16:01:04 PST 2014
src/core/manager.c | 12 ++--
src/journal/journald-audit.c | 110 ++++++++++++++++++++++++++++++++++--------
src/journal/journald-audit.h | 2
src/journal/journald-server.c | 2
src/shared/logs-show.c | 2
src/update-utmp/update-utmp.c | 6 +-
6 files changed, 104 insertions(+), 30 deletions(-)
New commits:
commit 25b3245fb483e52766867dfe33ce271011caaca9
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 01:00:50 2014 +0100
journald: include audit message type number in MESSAGE= string
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 76f6f3f..f543732 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -345,7 +345,7 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
char id_field[sizeof("_AUDIT_ID=") + DECIMAL_STR_MAX(uint64_t)],
type_field[sizeof("_AUDIT_TYPE=") + DECIMAL_STR_MAX(int)],
source_time_field[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)];
- const char *m;
+ char *m;
assert(s);
@@ -396,7 +396,8 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
sprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
IOVEC_SET_STRING(iov[n_iov++], id_field);
- m = strappenda("MESSAGE=audit: ", p);
+ m = alloca(strlen("MESSAGE=audit-") + DECIMAL_STR_MAX(int) + strlen(": ") + strlen(p) + 1);
+ sprintf(m, "MESSAGE=audit-%i: %s", type, p);
IOVEC_SET_STRING(iov[n_iov++], m);
z = n_iov;
commit 9833a66c7eba011c3740867c80133bc6fa976aa3
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 00:48:32 2014 +0100
journal: also consider audit fields with '-' valid
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index ba8a1ae..76f6f3f 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -172,7 +172,7 @@ static int map_generic_field(const char *prefix, const char **p, struct iovec **
if (!((*e >= 'a' && *e <= 'z') ||
(*e >= 'A' && *e <= 'Z') ||
(*e >= '0' && *e <= '9') ||
- (*e == '_')))
+ *e == '_' || *e == '-'))
return 0;
}
@@ -182,8 +182,18 @@ static int map_generic_field(const char *prefix, const char **p, struct iovec **
c = alloca(strlen(prefix) + (e - *p) + 2);
t = stpcpy(c, prefix);
- for (f = *p; f < e; f++)
- *(t++) = *f >= 'a' && *f <= 'z' ? ((*f - 'a') + 'A') : *f;
+ for (f = *p; f < e; f++) {
+ char x;
+
+ if (*f >= 'a' && *f <= 'z')
+ x = (*f - 'a') + 'A'; /* uppercase */
+ else if (*f == '-')
+ x = '_'; /* dashes → underscores */
+ else
+ x = *f;
+
+ *(t++) = x;
+ }
strcpy(t, "=");
e ++;
commit 0aa281df2c5f56623abddf25d6bcdb82b641aeb2
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 00:47:44 2014 +0100
audit: improve the audit messages we generate
always pass along comm, as documented by audit. Always set the correct
comm value.
diff --git a/src/core/manager.c b/src/core/manager.c
index 2eab553..ef1e3ea 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -2066,6 +2066,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
#ifdef HAVE_AUDIT
_cleanup_free_ char *p = NULL;
+ const char *msg;
int audit_fd;
audit_fd = get_audit_fd();
@@ -2085,17 +2086,18 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
p = unit_name_to_prefix_and_instance(u->id);
if (!p) {
- log_error_unit(u->id,
- "Failed to allocate unit name for audit message: %s", strerror(ENOMEM));
+ log_oom();
return;
}
- if (audit_log_user_comm_message(audit_fd, type, "", p, NULL, NULL, NULL, success) < 0) {
- if (errno == EPERM) {
+ msg = strappenda("unit=", p);
+
+ if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
+ if (errno == EPERM)
/* We aren't allowed to send audit messages?
* Then let's not retry again. */
close_audit_fd();
- } else
+ else
log_warning("Failed to send audit message: %m");
}
#endif
diff --git a/src/update-utmp/update-utmp.c b/src/update-utmp/update-utmp.c
index 31cae70..311d686 100644
--- a/src/update-utmp/update-utmp.c
+++ b/src/update-utmp/update-utmp.c
@@ -131,7 +131,7 @@ static int on_reboot(Context *c) {
#ifdef HAVE_AUDIT
if (c->audit_fd >= 0)
- if (audit_log_user_message(c->audit_fd, AUDIT_SYSTEM_BOOT, "init", NULL, NULL, NULL, 1) < 0 &&
+ if (audit_log_user_comm_message(c->audit_fd, AUDIT_SYSTEM_BOOT, "", "systemd-update-utmp", NULL, NULL, NULL, 1) < 0 &&
errno != EPERM) {
log_error("Failed to send audit message: %m");
r = -errno;
@@ -161,7 +161,7 @@ static int on_shutdown(Context *c) {
#ifdef HAVE_AUDIT
if (c->audit_fd >= 0)
- if (audit_log_user_message(c->audit_fd, AUDIT_SYSTEM_SHUTDOWN, "init", NULL, NULL, NULL, 1) < 0 &&
+ if (audit_log_user_comm_message(c->audit_fd, AUDIT_SYSTEM_SHUTDOWN, "", "systemd-update-utmp", NULL, NULL, NULL, 1) < 0 &&
errno != EPERM) {
log_error("Failed to send audit message: %m");
r = -errno;
@@ -215,7 +215,7 @@ static int on_runlevel(Context *c) {
runlevel > 0 ? runlevel : 'N') < 0)
return log_oom();
- if (audit_log_user_message(c->audit_fd, AUDIT_SYSTEM_RUNLEVEL, s, NULL, NULL, NULL, 1) < 0 &&
+ if (audit_log_user_comm_message(c->audit_fd, AUDIT_SYSTEM_RUNLEVEL, s, "systemd-update-utmp", NULL, NULL, NULL, 1) < 0 &&
errno != EPERM) {
log_error("Failed to send audit message: %m");
r = -errno;
commit 0b97208d8c39131f8a7cfcfccb5c40b86af44ee5
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 00:32:02 2014 +0100
journald: don't pass around SO_TIMESTAMP timestamp for audit, which we don't have anyway
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 520d1cb..ba8a1ae 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -325,7 +325,7 @@ static int map_all_fields(
}
}
-static void process_audit_string(Server *s, int type, const char *data, size_t size, const struct timeval *tv) {
+static void process_audit_string(Server *s, int type, const char *data, size_t size) {
_cleanup_free_ struct iovec *iov = NULL;
size_t n_iov_allocated = 0;
unsigned n_iov = 0, k;
@@ -398,7 +398,7 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
goto finish;
}
- server_dispatch_message(s, iov, n_iov, n_iov_allocated, NULL, tv, NULL, 0, NULL, LOG_NOTICE, 0);
+ server_dispatch_message(s, iov, n_iov, n_iov_allocated, NULL, NULL, NULL, 0, NULL, LOG_NOTICE, 0);
finish:
/* free() all entries that map_all_fields() added. All others
@@ -413,7 +413,6 @@ void server_process_audit_message(
const void *buffer,
size_t buffer_size,
const struct ucred *ucred,
- const struct timeval *tv,
const union sockaddr_union *sa,
socklen_t salen) {
@@ -453,7 +452,7 @@ void server_process_audit_message(
if (nl->nlmsg_type < AUDIT_FIRST_USER_MSG)
return;
- process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)), tv);
+ process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)));
}
static int enable_audit(int fd, bool b) {
diff --git a/src/journal/journald-audit.h b/src/journal/journald-audit.h
index 29bff07..68cdfb3 100644
--- a/src/journal/journald-audit.h
+++ b/src/journal/journald-audit.h
@@ -24,6 +24,6 @@
#include "socket-util.h"
#include "journald-server.h"
-void server_process_audit_message(Server *s, const void *buffer, size_t buffer_size, const struct ucred *ucred, const struct timeval *tv, const union sockaddr_union *sa, socklen_t salen);
+void server_process_audit_message(Server *s, const void *buffer, size_t buffer_size, const struct ucred *ucred, const union sockaddr_union *sa, socklen_t salen);
int server_open_audit(Server*s);
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 19cd6fe..2f782f2 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1226,7 +1226,7 @@ int process_datagram(sd_event_source *es, int fd, uint32_t revents, void *userda
assert(fd == s->audit_fd);
if (n > 0 && n_fds == 0)
- server_process_audit_message(s, s->buffer, n, ucred, tv, &sa, msghdr.msg_namelen);
+ server_process_audit_message(s, s->buffer, n, ucred, &sa, msghdr.msg_namelen);
else if (n_fds > 0)
log_warning("Got file descriptors via audit socket. Ignoring.");
}
commit 1248e84008028ae54326c565fcc65dcbce3556ad
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 00:28:33 2014 +0100
journal: when dumping log data with missing COMM fields, show "unknown" instead
A small readability improvement...
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 04e1165..e33824b 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -365,7 +365,7 @@ static int output_short(
fprintf(f, " %.*s", (int) comm_len, comm);
n += comm_len + 1;
} else
- fputc(' ', f);
+ fputs(" unknown", f);
if (pid && shall_print(pid, pid_len, flags)) {
fprintf(f, "[%.*s]", (int) pid_len, pid);
commit 5034c7bcdfc4493ed3c30722e9d897c8da78fede
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 00:27:55 2014 +0100
journald: suppress low-level audit text prefix in MESSAGE= field
Let's make the log output more readable, and the header can be
reconstructed in full from the other fields
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index d88d67c..520d1cb 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -354,7 +354,7 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
if (!p)
return;
- if (sscanf(p, "(%" PRIi64 ".%" PRIi64 ":%" PRIi64 "): %n",
+ if (sscanf(p, "(%" PRIi64 ".%" PRIi64 ":%" PRIi64 "):%n",
&seconds,
&msec,
&id,
@@ -362,6 +362,10 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
return;
p += k;
+ p += strspn(p, WHITESPACE);
+
+ if (isempty(p))
+ return;
n_iov_allocated = N_IOVEC_META_FIELDS + 5;
iov = new(struct iovec, n_iov_allocated);
@@ -382,7 +386,7 @@ static void process_audit_string(Server *s, int type, const char *data, size_t s
sprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
IOVEC_SET_STRING(iov[n_iov++], id_field);
- m = strappenda("MESSAGE=", data);
+ m = strappenda("MESSAGE=audit: ", p);
IOVEC_SET_STRING(iov[n_iov++], m);
z = n_iov;
commit 78fe420ff0bb4cd94de3c4d3f15a3021cc3e2878
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 00:27:26 2014 +0100
journald: properly decode audit's proctitle= field
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 0e1e8bd..d88d67c 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -67,7 +67,7 @@ static int map_simple_field(const char *field, const char **p, struct iovec **io
return 1;
}
-static int map_string_field(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
+static int map_string_field_internal(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov, bool filter_printable) {
_cleanup_free_ char *c = NULL;
const char *s, *e;
size_t l;
@@ -108,6 +108,7 @@ static int map_string_field(const char *field, const char **p, struct iovec **io
memcpy(c, field, l);
for (e = *p; *e != ' ' && *e != 0; e += 2) {
int a, b;
+ uint8_t x;
a = unhexchar(e[0]);
if (a < 0)
@@ -117,10 +118,15 @@ static int map_string_field(const char *field, const char **p, struct iovec **io
if (b < 0)
return 0;
+ x = ((uint8_t) a << 4 | (uint8_t) b);
+
+ if (filter_printable && x < (uint8_t) ' ')
+ x = (uint8_t) ' ';
+
if (!GREEDY_REALLOC(c, allocated, l+2))
return -ENOMEM;
- c[l++] = (char) ((uint8_t) a << 4 | (uint8_t) b);
+ c[l++] = (char) x;
}
c[l] = 0;
@@ -140,6 +146,14 @@ static int map_string_field(const char *field, const char **p, struct iovec **io
return 1;
}
+static int map_string_field(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
+ return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, false);
+}
+
+static int map_string_field_printable(const char *field, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
+ return map_string_field_internal(field, p, iov, n_iov_allocated, n_iov, true);
+}
+
static int map_generic_field(const char *prefix, const char **p, struct iovec **iov, size_t *n_iov_allocated, unsigned *n_iov) {
const char *e, *f;
char *c, *t;
@@ -204,7 +218,7 @@ static const MapField map_fields_kernel[] = {
{ "subj=", "_SELINUX_CONTEXT=", map_simple_field },
{ "comm=", "_COMM=", map_string_field },
{ "exe=", "_EXE=", map_string_field },
- { "proctitle=", "_CMDLINE=", map_string_field },
+ { "proctitle=", "_CMDLINE=", map_string_field_printable },
/* Some fields don't map to native well-known fields. However,
* we know that they are string fields, hence let's undo
commit 4d9ced9956755901238fede6fc5a3d7e4e816aa6
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Nov 4 00:01:32 2014 +0100
journald: enable audit in the kernel when initializing
Similar to auditd actually turn on auditing as we are starting. This way
we can operate entirely without auditd around.
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 787ec34..0e1e8bd 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -438,6 +438,51 @@ void server_process_audit_message(
process_audit_string(s, nl->nlmsg_type, NLMSG_DATA(nl), nl->nlmsg_len - ALIGN(sizeof(struct nlmsghdr)), tv);
}
+static int enable_audit(int fd, bool b) {
+ struct {
+ union {
+ struct nlmsghdr header;
+ uint8_t header_space[NLMSG_HDRLEN];
+ };
+ struct audit_status body;
+ } _packed_ request = {
+ .header.nlmsg_len = NLMSG_LENGTH(sizeof(struct audit_status)),
+ .header.nlmsg_type = AUDIT_SET,
+ .header.nlmsg_flags = NLM_F_REQUEST,
+ .header.nlmsg_seq = 1,
+ .header.nlmsg_pid = 0,
+ .body.mask = AUDIT_STATUS_ENABLED,
+ .body.enabled = b,
+ };
+ union sockaddr_union sa = {
+ .nl.nl_family = AF_NETLINK,
+ .nl.nl_pid = 0,
+ };
+ struct iovec iovec = {
+ .iov_base = &request,
+ .iov_len = NLMSG_LENGTH(sizeof(struct audit_status)),
+ };
+ struct msghdr mh = {
+ .msg_iov = &iovec,
+ .msg_iovlen = 1,
+ .msg_name = &sa.sa,
+ .msg_namelen = sizeof(sa.nl),
+ };
+
+ ssize_t n;
+
+ n = sendmsg(fd, &mh, MSG_NOSIGNAL);
+ if (n < 0)
+ return -errno;
+ if (n != NLMSG_LENGTH(sizeof(struct audit_status)))
+ return -EIO;
+
+ /* We don't wait for the result here, we can't do anything
+ * about it anyway */
+
+ return 0;
+}
+
int server_open_audit(Server *s) {
static const int one = 1;
int r;
@@ -479,5 +524,10 @@ int server_open_audit(Server *s) {
return r;
}
+ /* We are listening now, try to enable audit */
+ r = enable_audit(s->audit_fd, true);
+ if (r < 0)
+ log_warning("Failed to issue audit enable call: %s", strerror(-r));
+
return 0;
}
commit 2b0073e1d2fb0611733e0b83bd41cc753b254593
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Nov 3 23:28:12 2014 +0100
journald: there's no point in turning on SO_TIMESTAMP for audit sockets, audit doesn't support timestamps anyway
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index fe0eec8..787ec34 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -473,12 +473,6 @@ int server_open_audit(Server *s) {
return -errno;
}
- r = setsockopt(s->audit_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
- if (r < 0) {
- log_error("Failed to set SO_TIMESTAMP on audit socket: %m");
- return -errno;
- }
-
r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, process_datagram, s);
if (r < 0) {
log_error("Failed to add audit fd to event loop: %s", strerror(-r));
More information about the systemd-commits
mailing list