#include <linux/sockios.h>
#include <sys/statvfs.h>
#include <sys/mman.h>
+#include <sys/timerfd.h>
#include <libudev.h>
#include <systemd/sd-journal.h>
#include <systemd/sd-login.h>
#endif
+#include "fileio.h"
#include "mkdir.h"
#include "hashmap.h"
#include "journal-file.h"
#define USER_JOURNALS_MAX 1024
+#define DEFAULT_SYNC_INTERVAL_USEC (5*USEC_PER_MINUTE)
#define DEFAULT_RATE_LIMIT_INTERVAL (10*USEC_PER_SEC)
#define DEFAULT_RATE_LIMIT_BURST 200
}
static void server_read_file_gid(Server *s) {
- const char *adm = "adm";
+ const char *g = "systemd-journal";
int r;
assert(s);
if (s->file_gid_valid)
return;
- r = get_group_creds(&adm, &s->file_gid);
+ r = get_group_creds(&g, &s->file_gid);
if (r < 0)
- log_warning("Failed to resolve 'adm' group: %s", strerror(-r));
+ log_warning("Failed to resolve '%s' group: %s", g, strerror(-r));
/* if we couldn't read the gid, then it will be 0, but that's
* fine and we shouldn't try to resolve the group again, so
}
}
+void server_sync(Server *s) {
+ JournalFile *f;
+ void *k;
+ Iterator i;
+ int r;
+
+ static const struct itimerspec sync_timer_disable = {};
+
+ if (s->system_journal) {
+ r = journal_file_set_offline(s->system_journal);
+ if (r < 0)
+ log_error("Failed to sync system journal: %s", strerror(-r));
+ }
+
+ HASHMAP_FOREACH_KEY(f, k, s->user_journals, i) {
+ r = journal_file_set_offline(f);
+ if (r < 0)
+ log_error("Failed to sync user journal: %s", strerror(-r));
+ }
+
+ r = timerfd_settime(s->sync_timer_fd, 0, &sync_timer_disable, NULL);
+ if (r < 0)
+ log_error("Failed to disable max timer: %m");
+
+ s->sync_scheduled = false;
+}
+
void server_vacuum(Server *s) {
char *p;
char ids[33];
}
r = journal_file_append_entry(f, NULL, iovec, n, &s->seqnum, NULL, NULL);
- if (r >= 0)
+ if (r >= 0) {
+ server_schedule_sync(s);
return;
+ }
if (vacuumed || !shall_try_append_again(f, r)) {
log_error("Failed to write entry, ignoring: %s", strerror(-r));
sd_id128_t id;
int r;
char *t;
- uid_t loginuid = 0, realuid = 0;
- uid_t journal_uid;
- bool loginuid_valid = false;
+ uid_t realuid = 0, owner = 0, journal_uid;
+ bool owner_valid = false;
assert(s);
assert(iovec);
if (ucred) {
uint32_t audit;
-#ifdef HAVE_LOGIND
- uid_t owner;
-#endif
+ uid_t loginuid;
realuid = ucred->uid;
IOVEC_SET_STRING(iovec[n++], audit_session);
r = audit_loginuid_from_pid(ucred->pid, &loginuid);
- if (r >= 0) {
- loginuid_valid = true;
+ if (r >= 0)
if (asprintf(&audit_loginuid, "_AUDIT_LOGINUID=%lu", (unsigned long) loginuid) >= 0)
IOVEC_SET_STRING(iovec[n++], audit_loginuid);
- }
t = shortened_cgroup_path(ucred->pid);
if (t) {
IOVEC_SET_STRING(iovec[n++], session);
}
- if (sd_pid_get_owner_uid(ucred->uid, &owner) >= 0)
+ if (sd_pid_get_owner_uid(ucred->pid, &owner) >= 0) {
+ owner_valid = true;
if (asprintf(&owner_uid, "_SYSTEMD_OWNER_UID=%lu", (unsigned long) owner) >= 0)
IOVEC_SET_STRING(iovec[n++], owner_uid);
+ }
#endif
if (cg_pid_get_unit(ucred->pid, &t) >= 0) {
if (label) {
selinux_context = malloc(sizeof("_SELINUX_CONTEXT=") + label_len);
if (selinux_context) {
- memcpy(selinux_context, "_SELINUX_CONTEXT=", sizeof("_SELINUX_CONTEXT=")-1);
- memcpy(selinux_context+sizeof("_SELINUX_CONTEXT=")-1, label, label_len);
- selinux_context[sizeof("_SELINUX_CONTEXT=")-1+label_len] = 0;
+ *((char*) mempcpy(stpcpy(selinux_context, "_SELINUX_CONTEXT="), label, label_len)) = 0;
IOVEC_SET_STRING(iovec[n++], selinux_context);
}
} else {
selinux_context = strappend("_SELINUX_CONTEXT=", con);
if (selinux_context)
IOVEC_SET_STRING(iovec[n++], selinux_context);
-
freecon(con);
}
}
assert(n <= m);
- if (s->split_mode == SPLIT_NONE)
- journal_uid = 0;
- else if (s->split_mode == SPLIT_UID || realuid == 0 || !loginuid_valid)
+ if (s->split_mode == SPLIT_UID && realuid > 0)
+ /* Split up strictly by any UID */
journal_uid = realuid;
+ else if (s->split_mode == SPLIT_LOGIN && realuid > 0 && owner_valid && owner > 0)
+ /* Split up by login UIDs, this avoids creation of
+ * individual journals for system UIDs. We do this
+ * only if the realuid is not root, in order not to
+ * accidentally leak privileged information to the
+ * user that is logged by a privileged process that is
+ * part of an unprivileged session.*/
+ journal_uid = owner;
else
- journal_uid = loginuid;
+ journal_uid = 0;
write_to_journal(s, journal_uid, iovec, n);
}
struct iovec iovec[N_IOVEC_META_FIELDS + 4];
int n = 0;
va_list ap;
- struct ucred ucred;
+ struct ucred ucred = {};
assert(s);
assert(format);
IOVEC_SET_STRING(iovec[n++], mid);
}
- zero(ucred);
ucred.pid = getpid();
ucred.uid = getuid();
ucred.gid = getgid();
if (r >= 0)
rm_rf("/run/log/journal", false, true, false);
- if (j)
- sd_journal_close(j);
+ sd_journal_close(j);
return r;
}
return -errno;
}
- log_info("Received SIG%s", signal_to_string(sfsi.ssi_signo));
-
if (sfsi.ssi_signo == SIGUSR1) {
touch("/run/systemd/journal/flushed");
server_flush_to_var(s);
+ server_sync(s);
return 1;
}
return 1;
}
+ log_info("Received SIG%s", signal_to_string(sfsi.ssi_signo));
+
return 0;
+ } else if (ev->data.fd == s->sync_timer_fd) {
+ int r;
+ uint64_t t;
+
+ log_debug("Got sync request from epoll.");
+
+ r = read(ev->data.fd, (void *)&t, sizeof(t));
+ if (r < 0)
+ return 0;
+
+ server_sync(s);
+ return 1;
+
} else if (ev->data.fd == s->dev_kmsg_fd) {
int r;
return r;
}
+static int server_open_sync_timer(Server *s) {
+ int r;
+ struct epoll_event ev;
+
+ assert(s);
+
+ s->sync_timer_fd = timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC);
+ if (s->sync_timer_fd < 0)
+ return -errno;
+
+ zero(ev);
+ ev.events = EPOLLIN;
+ ev.data.fd = s->sync_timer_fd;
+
+ r = epoll_ctl(s->epoll_fd, EPOLL_CTL_ADD, s->sync_timer_fd, &ev);
+ if (r < 0) {
+ log_error("Failed to add idle timer fd to epoll object: %m");
+ return -errno;
+ }
+
+ return 0;
+}
+
+int server_schedule_sync(Server *s) {
+ int r;
+
+ assert(s);
+
+ if (s->sync_scheduled)
+ return 0;
+
+ if (s->sync_interval_usec) {
+ struct itimerspec sync_timer_enable = {
+ .it_value.tv_sec = s->sync_interval_usec / USEC_PER_SEC,
+ .it_value.tv_nsec = s->sync_interval_usec % MSEC_PER_SEC,
+ };
+
+ r = timerfd_settime(s->sync_timer_fd, 0, &sync_timer_enable, NULL);
+ if (r < 0)
+ return -errno;
+ }
+
+ s->sync_scheduled = true;
+
+ return 0;
+}
+
int server_init(Server *s) {
int n, r, fd;
assert(s);
zero(*s);
- s->syslog_fd = s->native_fd = s->stdout_fd = s->signal_fd = s->epoll_fd = s->dev_kmsg_fd = -1;
+ s->sync_timer_fd = s->syslog_fd = s->native_fd = s->stdout_fd =
+ s->signal_fd = s->epoll_fd = s->dev_kmsg_fd = -1;
s->compress = true;
s->seal = true;
+ s->sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC;
+ s->sync_scheduled = false;
+
s->rate_limit_interval = DEFAULT_RATE_LIMIT_INTERVAL;
s->rate_limit_burst = DEFAULT_RATE_LIMIT_BURST;
server_parse_config_file(s);
server_parse_proc_cmdline(s);
+ if (!!s->rate_limit_interval ^ !!s->rate_limit_burst) {
+ log_debug("Setting both rate limit interval and burst from %llu,%u to 0,0",
+ (long long unsigned) s->rate_limit_interval,
+ s->rate_limit_burst);
+ s->rate_limit_interval = s->rate_limit_burst = 0;
+ }
mkdir_p("/run/systemd/journal", 0755);
if (r < 0)
return r;
+ r = server_open_sync_timer(s);
+ if (r < 0)
+ return r;
+
r = open_signalfd(s);
if (r < 0)
return r;
if (!s->udev)
return -ENOMEM;
- s->rate_limit = journal_rate_limit_new(s->rate_limit_interval, s->rate_limit_burst);
+ s->rate_limit = journal_rate_limit_new(s->rate_limit_interval,
+ s->rate_limit_burst);
if (!s->rate_limit)
return -ENOMEM;
if (s->dev_kmsg_fd >= 0)
close_nointr_nofail(s->dev_kmsg_fd);
+ if (s->sync_timer_fd >= 0)
+ close_nointr_nofail(s->sync_timer_fd);
+
if (s->rate_limit)
journal_rate_limit_free(s->rate_limit);