#include <sys/signalfd.h>
#include <unistd.h>
#include <fcntl.h>
-#include <sys/acl.h>
-#include <acl/libacl.h>
#include <stddef.h>
#include <sys/ioctl.h>
#include <linux/sockios.h>
#include "hashmap.h"
#include "journal-file.h"
#include "socket-util.h"
-#include "acl-util.h"
#include "cgroup-util.h"
#include "list.h"
#include "journal-rate-limit.h"
#include "journald.h"
#include "virt.h"
+#ifdef HAVE_ACL
+#include <sys/acl.h>
+#include <acl/libacl.h>
+#include "acl-util.h"
+#endif
+
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#define USER_JOURNALS_MAX 1024
#define STDOUT_STREAMS_MAX 4096
#define SYSLOG_TIMEOUT_USEC (250*USEC_PER_MSEC)
-#define N_IOVEC_META_FIELDS 16
+#define N_IOVEC_META_FIELDS 17
typedef enum StdoutStreamState {
STDOUT_STREAM_IDENTIFIER,
return avail;
}
-static void fix_perms(JournalFile *f, uid_t uid) {
+static void server_read_file_gid(Server *s) {
+ const char *adm = "adm";
+ int r;
+
+ assert(s);
+
+ if (s->file_gid_valid)
+ return;
+
+ r = get_group_creds(&adm, &s->file_gid);
+ if (r < 0)
+ log_warning("Failed to resolve 'adm' group: %s", strerror(-r));
+
+ /* if we couldn't read the gid, then it will be 0, but that's
+ * fine and we shouldn't try to resolve the group again, so
+ * let's just pretend it worked right-away. */
+ s->file_gid_valid = true;
+}
+
+static void server_fix_perms(Server *s, JournalFile *f, uid_t uid) {
+ int r;
+#ifdef HAVE_ACL
acl_t acl;
acl_entry_t entry;
acl_permset_t permset;
- int r;
+#endif
assert(f);
- r = fchmod_and_fchown(f->fd, 0640, 0, 0);
+ server_read_file_gid(s);
+
+ r = fchmod_and_fchown(f->fd, 0640, 0, s->file_gid);
if (r < 0)
log_warning("Failed to fix access mode/rights on %s, ignoring: %s", f->path, strerror(-r));
+#ifdef HAVE_ACL
if (uid <= 0)
return;
finish:
acl_free(acl);
+#endif
}
static JournalFile* find_journal(Server *s, uid_t uid) {
if (r < 0)
return s->system_journal;
- fix_perms(f, uid);
+ server_fix_perms(s, f, uid);
f->metrics = s->system_metrics;
f->compress = s->compress;
*comm = NULL, *cmdline = NULL, *hostname = NULL,
*audit_session = NULL, *audit_loginuid = NULL,
*exe = NULL, *cgroup = NULL, *session = NULL,
- *owner_uid = NULL, *unit = NULL;
+ *owner_uid = NULL, *unit = NULL, *selinux_context = NULL;
char idbuf[33];
sd_id128_t id;
if (ucred) {
uint32_t audit;
uid_t owner;
+#ifdef HAVE_SELINUX
+ security_context_t con;
+#endif
realuid = ucred->uid;
if (sd_pid_get_owner_uid(ucred->uid, &owner) >= 0)
if (asprintf(&owner_uid, "_SYSTEMD_OWNER_UID=%lu", (unsigned long) owner) >= 0)
IOVEC_SET_STRING(iovec[n++], owner_uid);
+
+#ifdef HAVE_SELINUX
+ if (getpidcon(ucred->pid, &con) >= 0) {
+ selinux_context = strappend("_SELINUX_CONTEXT=", con);
+ if (selinux_context)
+ IOVEC_SET_STRING(iovec[n++], selinux_context);
+
+ freecon(con);
+ }
+#endif
}
if (tv) {
free(session);
free(owner_uid);
free(unit);
+ free(selinux_context);
}
static void driver_message(Server *s, sd_id128_t message_id, const char *format, ...) {
free(ident_buf);
}
-static void read_identifier(const char **buf, char **identifier) {
+static void read_identifier(const char **buf, char **identifier, char **pid) {
const char *p;
char *t;
size_t l, e;
assert(buf);
assert(identifier);
+ assert(pid);
p = *buf;
for (;;) {
if (p[k] == '[') {
+ t = strndup(p+k+1, l-k-2);
+ if (t)
+ *pid = t;
+
l = k;
break;
}
}
static void process_syslog_message(Server *s, const char *buf, struct ucred *ucred, struct timeval *tv) {
- char *message = NULL, *syslog_priority = NULL, *syslog_facility = NULL, *syslog_identifier = NULL;
- struct iovec iovec[N_IOVEC_META_FIELDS + 5];
+ char *message = NULL, *syslog_priority = NULL, *syslog_facility = NULL, *syslog_identifier = NULL, *syslog_pid = NULL;
+ struct iovec iovec[N_IOVEC_META_FIELDS + 6];
unsigned n = 0;
int priority = LOG_USER | LOG_INFO;
- char *identifier = NULL;
+ char *identifier = NULL, *pid = NULL;
assert(s);
assert(buf);
parse_syslog_priority((char**) &buf, &priority);
skip_syslog_date((char**) &buf);
- read_identifier(&buf, &identifier);
+ read_identifier(&buf, &identifier, &pid);
if (s->forward_to_kmsg)
forward_kmsg(s, priority, identifier, buf, ucred);
IOVEC_SET_STRING(iovec[n++], syslog_identifier);
}
+ if (pid) {
+ syslog_pid = strappend("SYSLOG_PID=", pid);
+ if (syslog_pid)
+ IOVEC_SET_STRING(iovec[n++], syslog_pid);
+ }
+
message = strappend("MESSAGE=", buf);
if (message)
IOVEC_SET_STRING(iovec[n++], message);
free(message);
free(identifier);
+ free(pid);
free(syslog_priority);
free(syslog_facility);
free(syslog_identifier);
skip = end - p + 1;
else if (remaining >= sizeof(s->buffer) - 1) {
end = p + sizeof(s->buffer) - 1;
- skip = sizeof(s->buffer) - 1;
+ skip = remaining;
} else
break;
return r;
}
+static int parse_kernel_timestamp(char **_p, usec_t *t) {
+ usec_t r;
+ int k, i;
+ char *p;
+
+ assert(_p);
+ assert(*_p);
+ assert(t);
+
+ p = *_p;
+
+ if (strlen(p) < 14 || p[0] != '[' || p[13] != ']' || p[6] != '.')
+ return 0;
+
+ r = 0;
+
+ for (i = 1; i <= 5; i++) {
+ r *= 10;
+
+ if (p[i] == ' ')
+ continue;
+
+ k = undecchar(p[i]);
+ if (k < 0)
+ return 0;
+
+ r += k;
+ }
+
+ for (i = 7; i <= 12; i++) {
+ r *= 10;
+
+ k = undecchar(p[i]);
+ if (k < 0)
+ return 0;
+
+ r += k;
+ }
+
+ *t = r;
+ *_p += 14;
+ *_p += strspn(*_p, WHITESPACE);
+
+ return 1;
+}
+
+static void proc_kmsg_line(Server *s, const char *p) {
+ struct iovec iovec[N_IOVEC_META_FIELDS + 7];
+ char *message = NULL, *syslog_priority = NULL, *syslog_pid = NULL, *syslog_facility = NULL, *syslog_identifier = NULL, *source_time = NULL;
+ int priority = LOG_KERN | LOG_INFO;
+ unsigned n = 0;
+ usec_t usec;
+ char *identifier = NULL, *pid = NULL;
+
+ assert(s);
+ assert(p);
+
+ parse_syslog_priority((char **) &p, &priority);
+
+ if (s->forward_to_kmsg && (priority & LOG_FACMASK) != LOG_KERN)
+ return;
+
+ if (parse_kernel_timestamp((char **) &p, &usec) > 0) {
+ if (asprintf(&source_time, "_SOURCE_MONOTONIC_TIMESTAMP=%llu",
+ (unsigned long long) usec) >= 0)
+ IOVEC_SET_STRING(iovec[n++], source_time);
+ }
+
+ IOVEC_SET_STRING(iovec[n++], "_TRANSPORT=kernel");
+
+ if (asprintf(&syslog_priority, "PRIORITY=%i", priority & LOG_PRIMASK) >= 0)
+ IOVEC_SET_STRING(iovec[n++], syslog_priority);
+
+ if ((priority & LOG_FACMASK) == LOG_KERN) {
+
+ if (s->forward_to_syslog)
+ forward_syslog(s, priority, "kernel", p, NULL, NULL);
+
+ IOVEC_SET_STRING(iovec[n++], "SYSLOG_IDENTIFIER=kernel");
+ } else {
+ read_identifier(&p, &identifier, &pid);
+
+ if (s->forward_to_syslog)
+ forward_syslog(s, priority, identifier, p, NULL, NULL);
+
+ if (identifier) {
+ syslog_identifier = strappend("SYSLOG_IDENTIFIER=", identifier);
+ if (syslog_identifier)
+ IOVEC_SET_STRING(iovec[n++], syslog_identifier);
+ }
+
+ if (pid) {
+ syslog_pid = strappend("SYSLOG_PID=", pid);
+ if (syslog_pid)
+ IOVEC_SET_STRING(iovec[n++], syslog_pid);
+ }
+
+ if (asprintf(&syslog_facility, "SYSLOG_FACILITY=%i", LOG_FAC(priority)) >= 0)
+ IOVEC_SET_STRING(iovec[n++], syslog_facility);
+ }
+
+ message = strappend("MESSAGE=", p);
+ if (message)
+ IOVEC_SET_STRING(iovec[n++], message);
+
+
+ dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, priority);
+
+ free(message);
+ free(syslog_priority);
+ free(syslog_identifier);
+ free(syslog_pid);
+ free(syslog_facility);
+ free(source_time);
+ free(identifier);
+ free(pid);
+}
+
+static void proc_kmsg_scan(Server *s) {
+ char *p;
+ size_t remaining;
+
+ assert(s);
+
+ p = s->proc_kmsg_buffer;
+ remaining = s->proc_kmsg_length;
+ for (;;) {
+ char *end;
+ size_t skip;
+
+ end = memchr(p, '\n', remaining);
+ if (end)
+ skip = end - p + 1;
+ else if (remaining >= sizeof(s->proc_kmsg_buffer) - 1) {
+ end = p + sizeof(s->proc_kmsg_buffer) - 1;
+ skip = remaining;
+ } else
+ break;
+
+ *end = 0;
+
+ proc_kmsg_line(s, p);
+
+ remaining -= skip;
+ p += skip;
+ }
+
+ if (p > s->proc_kmsg_buffer) {
+ memmove(s->proc_kmsg_buffer, p, remaining);
+ s->proc_kmsg_length = remaining;
+ }
+}
+
static int system_journal_open(Server *s) {
int r;
char *fn;
s->system_journal->metrics = s->system_metrics;
s->system_journal->compress = s->compress;
- fix_perms(s->system_journal, 0);
+ server_fix_perms(s, s->system_journal, 0);
} else if (r < 0) {
if (r != -ENOENT && r != -EROFS)
s->runtime_journal->metrics = s->runtime_metrics;
s->runtime_journal->compress = s->compress;
- fix_perms(s->runtime_journal, 0);
+ server_fix_perms(s, s->runtime_journal, 0);
}
}
if (!s->system_journal)
return 0;
+ log_info("Flushing to /var...");
+
r = sd_id128_get_machine(&machine);
if (r < 0) {
log_error("Failed to get machine id: %s", strerror(-r));
return r;
}
+static int server_read_proc_kmsg(Server *s) {
+ ssize_t l;
+ assert(s);
+ assert(s->proc_kmsg_fd >= 0);
+
+ l = read(s->proc_kmsg_fd, s->proc_kmsg_buffer + s->proc_kmsg_length, sizeof(s->proc_kmsg_buffer) - 1 - s->proc_kmsg_length);
+ if (l < 0) {
+
+ if (errno == EAGAIN || errno == EINTR)
+ return 0;
+
+ log_error("Failed to read from kernel: %m");
+ return -errno;
+ }
+
+ s->proc_kmsg_length += l;
+
+ proc_kmsg_scan(s);
+ return 1;
+}
+
+static int server_flush_proc_kmsg(Server *s) {
+ int r;
+
+ assert(s);
+
+ if (s->proc_kmsg_fd < 0)
+ return 0;
+
+ log_info("Flushing /proc/kmsg...");
+
+ for (;;) {
+ r = server_read_proc_kmsg(s);
+ if (r < 0)
+ return r;
+
+ if (r == 0)
+ break;
+ }
+
+ return 0;
+}
+
static int process_event(Server *s, struct epoll_event *ev) {
assert(s);
return -EIO;
if (errno == EINTR || errno == EAGAIN)
- return 0;
+ return 1;
return -errno;
}
log_debug("Received SIG%s", signal_to_string(sfsi.ssi_signo));
return 0;
+ } else if (ev->data.fd == s->proc_kmsg_fd) {
+ int r;
+
+ if (ev->events != EPOLLIN) {
+ log_info("Got invalid event from epoll.");
+ return -EIO;
+ }
+
+ r = server_read_proc_kmsg(s);
+ if (r < 0)
+ return r;
+
+ return 1;
+
} else if (ev->data.fd == s->native_fd ||
ev->data.fd == s->syslog_fd) {
if (s->syslog_fd < 0) {
- s->syslog_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+ s->syslog_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
if (s->syslog_fd < 0) {
log_error("socket() failed: %m");
return -errno;
if (s->native_fd < 0) {
- s->native_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+ s->native_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
if (s->native_fd < 0) {
log_error("socket() failed: %m");
return -errno;
if (s->stdout_fd < 0) {
- s->stdout_fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
+ s->stdout_fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
if (s->stdout_fd < 0) {
log_error("socket() failed: %m");
return -errno;
return 0;
}
+static int open_proc_kmsg(Server *s) {
+ struct epoll_event ev;
+
+ assert(s);
+
+ if (!s->import_proc_kmsg)
+ return 0;
+
+
+ s->proc_kmsg_fd = open("/proc/kmsg", O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
+ if (s->proc_kmsg_fd < 0) {
+ log_warning("Failed to open /proc/kmsg, ignoring: %m");
+ return 0;
+ }
+
+ zero(ev);
+ ev.events = EPOLLIN;
+ ev.data.fd = s->proc_kmsg_fd;
+ if (epoll_ctl(s->epoll_fd, EPOLL_CTL_ADD, s->proc_kmsg_fd, &ev) < 0) {
+ log_error("Failed to add /proc/kmsg fd to epoll object: %m");
+ return -errno;
+ }
+
+ return 0;
+}
+
static int open_signalfd(Server *s) {
sigset_t mask;
struct epoll_event ev;
assert(s);
zero(*s);
- s->syslog_fd = s->native_fd = s->stdout_fd = s->signal_fd = s->epoll_fd = -1;
+ s->syslog_fd = s->native_fd = s->stdout_fd = s->signal_fd = s->epoll_fd = s->proc_kmsg_fd = -1;
s->compress = true;
s->rate_limit_interval = DEFAULT_RATE_LIMIT_INTERVAL;
s->rate_limit_burst = DEFAULT_RATE_LIMIT_BURST;
s->forward_to_syslog = true;
+ s->import_proc_kmsg = true;
memset(&s->system_metrics, 0xFF, sizeof(s->system_metrics));
memset(&s->runtime_metrics, 0xFF, sizeof(s->runtime_metrics));
if (r < 0)
return r;
+ r = open_proc_kmsg(s);
+ if (r < 0)
+ return r;
+
r = system_journal_open(s);
if (r < 0)
return r;
if (s->stdout_fd >= 0)
close_nointr_nofail(s->stdout_fd);
+ if (s->proc_kmsg_fd >= 0)
+ close_nointr_nofail(s->proc_kmsg_fd);
+
if (s->rate_limit)
journal_rate_limit_free(s->rate_limit);
server_vacuum(&server);
server_flush_to_var(&server);
+ server_flush_proc_kmsg(&server);
log_debug("systemd-journald running as pid %lu", (unsigned long) getpid());
driver_message(&server, SD_MESSAGE_JOURNAL_START, "Journal started");