[systemd-devel] [PATCH] journal: add logging of effective capabilities _CAP_EFFECTIVE

Shawn Landden shawnlandden at gmail.com
Sun Jul 14 19:46:57 PDT 2013 

I think this is the most important of the capabilities bitmasks to log.
---
 TODO                          |  2 --
 src/journal/journald-server.c |  7 +++++++
 src/shared/util.c             | 30 ++++++++++++++++++++++++++++++
 src/shared/util.h             |  1 +
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/TODO b/TODO
index 5d4ba8f..0782038 100644
--- a/TODO
+++ b/TODO
@@ -208,8 +208,6 @@ Features:
 
 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
 
-* we should log capabilities too
-
 * Support SO_REUSEPORT with socket activation:
   - Let systemd maintain a pool of servers.
   - Use for seamless upgrades, by running the new server before stopping the
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 6beaa8a..332ba41 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -578,6 +578,13 @@ static void dispatch_message_real(
                         IOVEC_SET_STRING(iovec[n++], x);
                 }
 
+                r = get_process_capeff(ucred->pid, &t);
+                if (r >= 0) {
+                        x = strappenda("_CAP_EFFECTIVE=", t);
+                        free(t);
+                        IOVEC_SET_STRING(iovec[n++], x);
+                }
+
 #ifdef HAVE_AUDIT
                 r = audit_session_from_pid(ucred->pid, &audit);
                 if (r >= 0) {
diff --git a/src/shared/util.c b/src/shared/util.c
index ceee6f2..3ad8cb3 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -726,6 +726,36 @@ int is_kernel_thread(pid_t pid) {
         return 0;
 }
 
+int get_process_capeff(pid_t pid, char **capeff) {
+        const char *p;
+        char status_buf[2048];
+        /* why does read_full_file() need so much indirection? */
+        char *status = &status_buf[0];
+        size_t status_size = 2048;
+        char *t = NULL;
+        int r;
+
+        assert(capeff);
+        assert(pid >= 0);
+
+        if (pid == 0)
+                p = "/proc/self/status";
+        else
+                p = procfs_file_alloca(pid, "status");
+
+        r = read_full_file(p, &status, &status_size);
+        if (r < 0)
+                return r;
+
+        t = strstr(status, "CapEff:\t");
+        if (!t)
+                return -NOENT;
+
+        if (!(*capeff = strndup(t + strlen("CapEff:\t"), 16))
+                return -ENOMEM;
+
+        return 0;
+}
 
 int get_process_exe(pid_t pid, char **name) {
         const char *p;
diff --git a/src/shared/util.h b/src/shared/util.h
index ddb21b4..fac08ca 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
 int get_process_exe(pid_t pid, char **name);
 int get_process_uid(pid_t pid, uid_t *uid);
 int get_process_gid(pid_t pid, gid_t *gid);
+int get_process_capeff(pid_t pid, char **capeff);
 
 char hexchar(int x) _const_;
 int unhexchar(char c) _const_;
-- 
1.8.3.2

More information about the systemd-devel mailing list