+ fputs(")\n\n", stdout);
+
+ printf("As Python constant:\n"
+ ">>> import uuid\n"
+ ">>> MESSAGE_XYZ = uuid.UUID('" SD_ID128_FORMAT_STR "')\n",
+ SD_ID128_FORMAT_VAL(id));
+
+ return 0;
+}
+
+static int add_matches(sd_journal *j, char **args) {
+ char **i;
+
+ assert(j);
+
+ STRV_FOREACH(i, args) {
+ int r;
+
+ if (streq(*i, "+"))
+ r = sd_journal_add_disjunction(j);
+ else if (path_is_absolute(*i)) {
+ _cleanup_free_ char *p, *t = NULL;
+ const char *path;
+ struct stat st;
+
+ p = canonicalize_file_name(*i);
+ path = p ? p : *i;
+
+ if (stat(path, &st) < 0) {
+ log_error("Couldn't stat file: %m");
+ return -errno;
+ }
+
+ if (S_ISREG(st.st_mode) && (0111 & st.st_mode))
+ t = strappend("_EXE=", path);
+ else if (S_ISCHR(st.st_mode))
+ asprintf(&t, "_KERNEL_DEVICE=c%u:%u", major(st.st_rdev), minor(st.st_rdev));
+ else if (S_ISBLK(st.st_mode))
+ asprintf(&t, "_KERNEL_DEVICE=b%u:%u", major(st.st_rdev), minor(st.st_rdev));
+ else {
+ log_error("File is neither a device node, nor regular file, nor executable: %s", *i);
+ return -EINVAL;
+ }
+
+ if (!t)
+ return log_oom();
+
+ r = sd_journal_add_match(j, t, 0);
+ } else
+ r = sd_journal_add_match(j, *i, 0);
+
+ if (r < 0) {
+ log_error("Failed to add match '%s': %s", *i, strerror(-r));
+ return r;
+ }
+ }
+
+ return 0;
+}
+
+static int boot_id_cmp(const void *a, const void *b) {
+ uint64_t _a, _b;
+
+ _a = ((const boot_id_t *)a)->timestamp;
+ _b = ((const boot_id_t *)b)->timestamp;
+
+ return _a < _b ? -1 : (_a > _b ? 1 : 0);
+}
+
+static int get_relative_boot_id(sd_journal *j, sd_id128_t *boot_id, int relative) {
+ int r;
+ const void *data;
+ unsigned int count = 0;
+ size_t length, allocated = 0;
+ boot_id_t ref_boot_id = {SD_ID128_NULL}, *id;
+ _cleanup_free_ boot_id_t *all_ids = NULL;
+
+ assert(j);
+ assert(boot_id);
+
+ if (relative == 0 && !sd_id128_equal(*boot_id, SD_ID128_NULL))
+ return 0;
+
+ r = sd_journal_query_unique(j, "_BOOT_ID");
+ if (r < 0)
+ return r;
+
+ SD_JOURNAL_FOREACH_UNIQUE(j, data, length) {
+ if (length < strlen("_BOOT_ID="))
+ continue;
+
+ if (!GREEDY_REALLOC(all_ids, allocated, count + 1))
+ return log_oom();
+
+ id = &all_ids[count];
+
+ r = sd_id128_from_string(((const char *)data) + strlen("_BOOT_ID="), &id->id);
+ if (r < 0)
+ continue;
+
+ r = sd_journal_add_match(j, data, length);
+ if (r < 0)
+ return r;
+
+ r = sd_journal_seek_head(j);
+ if (r < 0)
+ return r;
+
+ r = sd_journal_next(j);
+ if (r < 0)
+ return r;
+ else if (r == 0)
+ goto flush;
+
+ r = sd_journal_get_realtime_usec(j, &id->timestamp);
+ if (r < 0)
+ return r;
+
+ if (sd_id128_equal(id->id, *boot_id))
+ ref_boot_id = *id;
+
+ count++;
+ flush:
+ sd_journal_flush_matches(j);
+ }
+
+ qsort(all_ids, count, sizeof(boot_id_t), boot_id_cmp);
+
+ if (sd_id128_equal(*boot_id, SD_ID128_NULL)) {
+ if (relative > (int) count || relative <= -(int)count)
+ return -EADDRNOTAVAIL;
+
+ *boot_id = all_ids[(relative <= 0)*count + relative - 1].id;
+ } else {
+ id = bsearch(&ref_boot_id, all_ids, count, sizeof(boot_id_t), boot_id_cmp);
+
+ if (!id ||
+ relative <= 0 ? (id - all_ids) + relative < 0 :
+ (id - all_ids) + relative >= (int) count)
+ return -EADDRNOTAVAIL;
+
+ *boot_id = (id + relative)->id;
+ }
+
+ return 0;
+}
+
+static int add_boot(sd_journal *j) {
+ char match[9+32+1] = "_BOOT_ID=";
+ char *offset;
+ sd_id128_t boot_id = SD_ID128_NULL;
+ int r, relative = 0;
+
+ assert(j);
+
+ if (!arg_boot)
+ return 0;
+
+ if (!arg_boot_descriptor)
+ return add_match_this_boot(j);
+
+ if (strlen(arg_boot_descriptor) >= 32) {
+ char tmp = arg_boot_descriptor[32];
+ arg_boot_descriptor[32] = '\0';
+ r = sd_id128_from_string(arg_boot_descriptor, &boot_id);
+ arg_boot_descriptor[32] = tmp;
+
+ if (r < 0) {
+ log_error("Failed to parse boot ID '%.32s': %s",
+ arg_boot_descriptor, strerror(-r));
+ return r;
+ }
+
+ offset = arg_boot_descriptor + 32;
+
+ if (*offset && *offset != '-' && *offset != '+') {
+ log_error("Relative boot ID offset must start with a '+' or a '-', found '%s' ", offset);
+ return -EINVAL;
+ }
+ } else
+ offset = arg_boot_descriptor;
+
+ if (*offset) {
+ r = safe_atoi(offset, &relative);
+ if (r < 0) {
+ log_error("Failed to parse relative boot ID number '%s'", offset);
+ return -EINVAL;
+ }
+ }
+
+ r = get_relative_boot_id(j, &boot_id, relative);
+ if (r < 0) {
+ if (sd_id128_equal(boot_id, SD_ID128_NULL))
+ log_error("Failed to look up boot %+d: %s", relative, strerror(-r));
+ else
+ log_error("Failed to look up boot ID "SD_ID128_FORMAT_STR"%+d: %s",
+ SD_ID128_FORMAT_VAL(boot_id), relative, strerror(-r));
+ return r;
+ }
+
+ sd_id128_to_string(boot_id, match + 9);
+
+ r = sd_journal_add_match(j, match, sizeof(match) - 1);
+ if (r < 0) {
+ log_error("Failed to add match: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_journal_add_conjunction(j);
+ if (r < 0)
+ return r;
+
+ return 0;
+}
+
+static int add_dmesg(sd_journal *j) {
+ int r;
+ assert(j);
+
+ if (!arg_dmesg)
+ return 0;
+
+ r = sd_journal_add_match(j, "_TRANSPORT=kernel", strlen("_TRANSPORT=kernel"));
+ if (r < 0) {
+ log_error("Failed to add match: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_journal_add_conjunction(j);
+ if (r < 0)
+ return r;
+
+ return 0;
+}
+
+static int add_units(sd_journal *j) {
+ _cleanup_free_ char *u = NULL;
+ int r;
+ char **i;
+
+ assert(j);
+
+ STRV_FOREACH(i, arg_system_units) {
+ u = unit_name_mangle(*i);
+ if (!u)
+ return log_oom();
+ r = add_matches_for_unit(j, u);
+ if (r < 0)
+ return r;
+ r = sd_journal_add_disjunction(j);
+ if (r < 0)
+ return r;
+ }
+
+ STRV_FOREACH(i, arg_user_units) {
+ u = unit_name_mangle(*i);
+ if (!u)
+ return log_oom();
+
+ r = add_matches_for_user_unit(j, u, getuid());
+ if (r < 0)
+ return r;
+
+ r = sd_journal_add_disjunction(j);
+ if (r < 0)
+ return r;
+
+ }
+
+ r = sd_journal_add_conjunction(j);
+ if (r < 0)
+ return r;
+
+ return 0;
+}
+
+static int add_priorities(sd_journal *j) {
+ char match[] = "PRIORITY=0";
+ int i, r;
+ assert(j);
+
+ if (arg_priorities == 0xFF)
+ return 0;
+
+ for (i = LOG_EMERG; i <= LOG_DEBUG; i++)
+ if (arg_priorities & (1 << i)) {
+ match[sizeof(match)-2] = '0' + i;
+
+ r = sd_journal_add_match(j, match, strlen(match));
+ if (r < 0) {
+ log_error("Failed to add match: %s", strerror(-r));
+ return r;
+ }
+ }
+
+ r = sd_journal_add_conjunction(j);
+ if (r < 0)
+ return r;
+
+ return 0;
+}
+
+static int setup_keys(void) {
+#ifdef HAVE_GCRYPT
+ size_t mpk_size, seed_size, state_size, i;
+ uint8_t *mpk, *seed, *state;
+ ssize_t l;
+ int fd = -1, r, attr = 0;
+ sd_id128_t machine, boot;
+ char *p = NULL, *k = NULL;
+ struct FSSHeader h;
+ uint64_t n;
+ struct stat st;
+
+ r = stat("/var/log/journal", &st);
+ if (r < 0 && errno != ENOENT && errno != ENOTDIR) {
+ log_error("stat(\"%s\") failed: %m", "/var/log/journal");
+ return -errno;
+ }
+
+ if (r < 0 || !S_ISDIR(st.st_mode)) {
+ log_error("%s is not a directory, must be using persistent logging for FSS.",
+ "/var/log/journal");
+ return r < 0 ? -errno : -ENOTDIR;
+ }
+
+ r = sd_id128_get_machine(&machine);
+ if (r < 0) {
+ log_error("Failed to get machine ID: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_id128_get_boot(&boot);
+ if (r < 0) {
+ log_error("Failed to get boot ID: %s", strerror(-r));
+ return r;
+ }
+
+ if (asprintf(&p, "/var/log/journal/" SD_ID128_FORMAT_STR "/fss",
+ SD_ID128_FORMAT_VAL(machine)) < 0)
+ return log_oom();
+
+ if (access(p, F_OK) >= 0) {
+ if (arg_force) {
+ r = unlink(p);
+ if (r < 0) {
+ log_error("unlink(\"%s\") failed: %m", p);
+ r = -errno;
+ goto finish;
+ }
+ } else {
+ log_error("Sealing key file %s exists already. (--force to recreate)", p);
+ r = -EEXIST;
+ goto finish;
+ }
+ }
+
+ if (asprintf(&k, "/var/log/journal/" SD_ID128_FORMAT_STR "/fss.tmp.XXXXXX",
+ SD_ID128_FORMAT_VAL(machine)) < 0) {
+ r = log_oom();
+ goto finish;
+ }
+
+ mpk_size = FSPRG_mskinbytes(FSPRG_RECOMMENDED_SECPAR);
+ mpk = alloca(mpk_size);
+
+ seed_size = FSPRG_RECOMMENDED_SEEDLEN;
+ seed = alloca(seed_size);
+
+ state_size = FSPRG_stateinbytes(FSPRG_RECOMMENDED_SECPAR);
+ state = alloca(state_size);
+
+ fd = open("/dev/random", O_RDONLY|O_CLOEXEC|O_NOCTTY);
+ if (fd < 0) {
+ log_error("Failed to open /dev/random: %m");
+ r = -errno;
+ goto finish;
+ }
+
+ log_info("Generating seed...");
+ l = loop_read(fd, seed, seed_size, true);
+ if (l < 0 || (size_t) l != seed_size) {
+ log_error("Failed to read random seed: %s", strerror(EIO));
+ r = -EIO;
+ goto finish;
+ }
+
+ log_info("Generating key pair...");
+ FSPRG_GenMK(NULL, mpk, seed, seed_size, FSPRG_RECOMMENDED_SECPAR);
+
+ log_info("Generating sealing key...");
+ FSPRG_GenState0(state, mpk, seed, seed_size);
+
+ assert(arg_interval > 0);
+
+ n = now(CLOCK_REALTIME);
+ n /= arg_interval;
+
+ close_nointr_nofail(fd);
+ fd = mkostemp(k, O_WRONLY|O_CLOEXEC|O_NOCTTY);
+ if (fd < 0) {
+ log_error("Failed to open %s: %m", k);
+ r = -errno;
+ goto finish;
+ }
+
+ /* Enable secure remove, exclusion from dump, synchronous
+ * writing and in-place updating */
+ if (ioctl(fd, FS_IOC_GETFLAGS, &attr) < 0)
+ log_warning("FS_IOC_GETFLAGS failed: %m");
+
+ attr |= FS_SECRM_FL|FS_NODUMP_FL|FS_SYNC_FL|FS_NOCOW_FL;
+
+ if (ioctl(fd, FS_IOC_SETFLAGS, &attr) < 0)
+ log_warning("FS_IOC_SETFLAGS failed: %m");
+
+ zero(h);
+ memcpy(h.signature, "KSHHRHLP", 8);
+ h.machine_id = machine;
+ h.boot_id = boot;
+ h.header_size = htole64(sizeof(h));
+ h.start_usec = htole64(n * arg_interval);
+ h.interval_usec = htole64(arg_interval);
+ h.fsprg_secpar = htole16(FSPRG_RECOMMENDED_SECPAR);
+ h.fsprg_state_size = htole64(state_size);
+
+ l = loop_write(fd, &h, sizeof(h), false);
+ if (l < 0 || (size_t) l != sizeof(h)) {
+ log_error("Failed to write header: %s", strerror(EIO));
+ r = -EIO;
+ goto finish;
+ }
+
+ l = loop_write(fd, state, state_size, false);
+ if (l < 0 || (size_t) l != state_size) {
+ log_error("Failed to write state: %s", strerror(EIO));
+ r = -EIO;
+ goto finish;
+ }
+
+ if (link(k, p) < 0) {
+ log_error("Failed to link file: %m");
+ r = -errno;
+ goto finish;
+ }