[systemd-devel] [PATCH] journal: add logging of effective capabilities _CAP_EFFECTIVE
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Sun Jul 14 20:13:24 PDT 2013
On Sun, Jul 14, 2013 at 07:46:57PM -0700, Shawn Landden wrote:
> I think this is the most important of the capabilities bitmasks to log.
> ---
> TODO | 2 --
> src/journal/journald-server.c | 7 +++++++
> src/shared/util.c | 30 ++++++++++++++++++++++++++++++
> src/shared/util.h | 1 +
> 4 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/TODO b/TODO
> index 5d4ba8f..0782038 100644
> --- a/TODO
> +++ b/TODO
> @@ -208,8 +208,6 @@ Features:
>
> * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
>
> -* we should log capabilities too
> -
> * Support SO_REUSEPORT with socket activation:
> - Let systemd maintain a pool of servers.
> - Use for seamless upgrades, by running the new server before stopping the
> diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
> index 6beaa8a..332ba41 100644
> --- a/src/journal/journald-server.c
> +++ b/src/journal/journald-server.c
> @@ -578,6 +578,13 @@ static void dispatch_message_real(
> IOVEC_SET_STRING(iovec[n++], x);
> }
>
> + r = get_process_capeff(ucred->pid, &t);
> + if (r >= 0) {
> + x = strappenda("_CAP_EFFECTIVE=", t);
> + free(t);
> + IOVEC_SET_STRING(iovec[n++], x);
> + }
> +
> #ifdef HAVE_AUDIT
> r = audit_session_from_pid(ucred->pid, &audit);
> if (r >= 0) {
> diff --git a/src/shared/util.c b/src/shared/util.c
> index ceee6f2..3ad8cb3 100644
> --- a/src/shared/util.c
> +++ b/src/shared/util.c
> @@ -726,6 +726,36 @@ int is_kernel_thread(pid_t pid) {
> return 0;
> }
>
> +int get_process_capeff(pid_t pid, char **capeff) {
> + const char *p;
> + char status_buf[2048];
> + /* why does read_full_file() need so much indirection? */
> + char *status = &status_buf[0];
> + size_t status_size = 2048;
> + char *t = NULL;
> + int r;
> +
> + assert(capeff);
> + assert(pid >= 0);
> +
> + if (pid == 0)
> + p = "/proc/self/status";
> + else
> + p = procfs_file_alloca(pid, "status");
> +
> + r = read_full_file(p, &status, &status_size);
> + if (r < 0)
> + return r;
> +
> + t = strstr(status, "CapEff:\t");
> + if (!t)
> + return -NOENT;
> +
> + if (!(*capeff = strndup(t + strlen("CapEff:\t"), 16))
Please do the assignment outside of the if.
> + return -ENOMEM;
> +
> + return 0;
> +}
>
> int get_process_exe(pid_t pid, char **name) {
> const char *p;
> diff --git a/src/shared/util.h b/src/shared/util.h
> index ddb21b4..fac08ca 100644
> --- a/src/shared/util.h
> +++ b/src/shared/util.h
> @@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
> int get_process_exe(pid_t pid, char **name);
> int get_process_uid(pid_t pid, uid_t *uid);
> int get_process_gid(pid_t pid, gid_t *gid);
> +int get_process_capeff(pid_t pid, char **capeff);
>
> char hexchar(int x) _const_;
> int unhexchar(char c) _const_;
Looks OK, but is missing an update to systemd.journal-fields(7).
Zbyszek
More information about the systemd-devel
mailing list