[systemd-devel] [PATCH v4] journal: add logging of effective capabilities _CAP_EFFECTIVE
Lennart Poettering
lennart at poettering.net
Mon Jul 15 19:25:03 PDT 2013
On Mon, 15.07.13 18:10, Shawn Landden (shawnlandden at gmail.com) wrote:
> I think this is the most important of the capabilities bitmasks to
> log.
Applied! Thanks!
> ---
> TODO | 2 --
> man/systemd.journal-fields.xml | 9 +++++++++
> src/journal/journald-server.c | 7 +++++++
> src/shared/util.c | 34 ++++++++++++++++++++++++++++++++++
> src/shared/util.h | 1 +
> 5 files changed, 51 insertions(+), 2 deletions(-)
>
> diff --git a/TODO b/TODO
> index 5d4ba8f..0782038 100644
> --- a/TODO
> +++ b/TODO
> @@ -208,8 +208,6 @@ Features:
>
> * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
>
> -* we should log capabilities too
> -
> * Support SO_REUSEPORT with socket activation:
> - Let systemd maintain a pool of servers.
> - Use for seamless upgrades, by running the new server before stopping the
> diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml
> index ed62edc..452406c 100644
> --- a/man/systemd.journal-fields.xml
> +++ b/man/systemd.journal-fields.xml
> @@ -197,6 +197,15 @@
> </varlistentry>
>
> <varlistentry>
> + <term><varname>_CAP_EFFECTIVE=</varname></term>
> + <listitem>
> + <para>The effective <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> of
> + the process the journal entry
> + originates from.</para>
> + </listitem>
> + </varlistentry>
> +
> + <varlistentry>
> <term><varname>_AUDIT_SESSION=</varname></term>
> <term><varname>_AUDIT_LOGINUID=</varname></term>
> <listitem>
> diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
> index 6beaa8a..332ba41 100644
> --- a/src/journal/journald-server.c
> +++ b/src/journal/journald-server.c
> @@ -578,6 +578,13 @@ static void dispatch_message_real(
> IOVEC_SET_STRING(iovec[n++], x);
> }
>
> + r = get_process_capeff(ucred->pid, &t);
> + if (r >= 0) {
> + x = strappenda("_CAP_EFFECTIVE=", t);
> + free(t);
> + IOVEC_SET_STRING(iovec[n++], x);
> + }
> +
> #ifdef HAVE_AUDIT
> r = audit_session_from_pid(ucred->pid, &audit);
> if (r >= 0) {
> diff --git a/src/shared/util.c b/src/shared/util.c
> index ceee6f2..7e9c8ea 100644
> --- a/src/shared/util.c
> +++ b/src/shared/util.c
> @@ -726,6 +726,40 @@ int is_kernel_thread(pid_t pid) {
> return 0;
> }
>
> +int get_process_capeff(pid_t pid, char **capeff) {
> + const char *p;
> + _cleanup_free_ char *status = NULL;
> + char *t = NULL;
> + int r;
> +
> + assert(capeff);
> + assert(pid >= 0);
> +
> + if (pid == 0)
> + p = "/proc/self/status";
> + else
> + p = procfs_file_alloca(pid, "status");
> +
> + r = read_full_file(p, &status, NULL);
> + if (r < 0)
> + return r;
> +
> + t = strstr(status, "\nCapEff:\t");
> + if (!t)
> + return -ENOENT;
> +
> + for (t += strlen("\nCapEff:\t"); t[0] == '0'; t++)
> + continue;
> +
> + if (t[0] == '\n')
> + t--;
> +
> + *capeff = strndup(t, strchr(t, '\n') - t);
> + if (!*capeff)
> + return -ENOMEM;
> +
> + return 0;
> +}
>
> int get_process_exe(pid_t pid, char **name) {
> const char *p;
> diff --git a/src/shared/util.h b/src/shared/util.h
> index ddb21b4..fac08ca 100644
> --- a/src/shared/util.h
> +++ b/src/shared/util.h
> @@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
> int get_process_exe(pid_t pid, char **name);
> int get_process_uid(pid_t pid, uid_t *uid);
> int get_process_gid(pid_t pid, gid_t *gid);
> +int get_process_capeff(pid_t pid, char **capeff);
>
> char hexchar(int x) _const_;
> int unhexchar(char c) _const_;
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list