1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2011 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
34 #include <sys/ioctl.h>
42 #include <systemd/sd-journal.h>
45 #include "logs-show.h"
47 #include "path-util.h"
52 #include "journal-internal.h"
53 #include "journal-def.h"
54 #include "journal-verify.h"
55 #include "journal-authenticate.h"
56 #include "journal-qrcode.h"
58 #include "unit-name.h"
61 #define DEFAULT_FSS_INTERVAL_USEC (15*USEC_PER_MINUTE)
63 static OutputMode arg_output = OUTPUT_SHORT;
64 static bool arg_pager_end = false;
65 static bool arg_follow = false;
66 static bool arg_full = true;
67 static bool arg_all = false;
68 static bool arg_no_pager = false;
69 static int arg_lines = -1;
70 static bool arg_no_tail = false;
71 static bool arg_quiet = false;
72 static bool arg_merge = false;
73 static bool arg_boot = false;
74 static char *arg_boot_descriptor = NULL;
75 static bool arg_dmesg = false;
76 static const char *arg_cursor = NULL;
77 static const char *arg_after_cursor = NULL;
78 static bool arg_show_cursor = false;
79 static const char *arg_directory = NULL;
80 static char **arg_file = NULL;
81 static int arg_priorities = 0xFF;
82 static const char *arg_verify_key = NULL;
84 static usec_t arg_interval = DEFAULT_FSS_INTERVAL_USEC;
85 static bool arg_force = false;
87 static usec_t arg_since, arg_until;
88 static bool arg_since_set = false, arg_until_set = false;
89 static char **arg_system_units = NULL;
90 static char **arg_user_units = NULL;
91 static const char *arg_field = NULL;
92 static bool arg_catalog = false;
93 static bool arg_reverse = false;
94 static int arg_journal_type = 0;
95 static const char *arg_root = NULL;
96 static const char *arg_machine = NULL;
107 ACTION_UPDATE_CATALOG,
109 } arg_action = ACTION_SHOW;
111 typedef struct boot_id_t {
117 static void pager_open_if_enabled(void) {
122 pager_open(arg_pager_end);
125 static int help(void) {
127 pager_open_if_enabled();
129 printf("%s [OPTIONS...] [MATCHES...]\n\n"
130 "Query the journal.\n\n"
132 " --system Show only the system journal\n"
133 " --user Show only the user journal for current user\n"
134 " -M --machine=CONTAINER Operate on local container\n"
135 " --since=DATE Start showing entries newer or of the specified date\n"
136 " --until=DATE Stop showing entries older or of the specified date\n"
137 " -c --cursor=CURSOR Start showing entries from specified cursor\n"
138 " --after-cursor=CURSOR Start showing entries from specified cursor\n"
139 " --show-cursor Print the cursor after all the entries\n"
140 " -b --boot[=ID] Show data only from ID or current boot if unspecified\n"
141 " --list-boots Show terse information about recorded boots\n"
142 " -k --dmesg Show kernel message log from current boot\n"
143 " -u --unit=UNIT Show data only from the specified unit\n"
144 " --user-unit=UNIT Show data only from the specified user session unit\n"
145 " -p --priority=RANGE Show only messages within the specified priority range\n"
146 " -e --pager-end Immediately jump to end of the journal in the pager\n"
147 " -f --follow Follow journal\n"
148 " -n --lines[=INTEGER] Number of journal entries to show\n"
149 " --no-tail Show all lines, even in follow mode\n"
150 " -r --reverse Show the newest entries first\n"
151 " -o --output=STRING Change journal output mode (short, short-iso,\n"
152 " short-precise, short-monotonic, verbose,\n"
153 " export, json, json-pretty, json-sse, cat)\n"
154 " -x --catalog Add message explanations where available\n"
155 " --no-full Ellipsize fields\n"
156 " -a --all Show all fields, including long and unprintable\n"
157 " -q --quiet Don't show privilege warning\n"
158 " --no-pager Do not pipe output into a pager\n"
159 " -m --merge Show entries from all available journals\n"
160 " -D --directory=PATH Show journal files from directory\n"
161 " --file=PATH Show journal file\n"
162 " --root=ROOT Operate on catalog files underneath the root ROOT\n"
164 " --interval=TIME Time interval for changing the FSS sealing key\n"
165 " --verify-key=KEY Specify FSS verification key\n"
166 " --force Force overriding new FSS key pair with --setup-keys\n"
169 " -h --help Show this help\n"
170 " --version Show package version\n"
171 " --new-id128 Generate a new 128 Bit ID\n"
172 " --header Show journal header information\n"
173 " --disk-usage Show total disk usage\n"
174 " -F --field=FIELD List all values a certain field takes\n"
175 " --list-catalog Show message IDs of all entries in the message catalog\n"
176 " --dump-catalog Show entries in the message catalog\n"
177 " --update-catalog Update the message catalog database\n"
179 " --setup-keys Generate new FSS key pair\n"
180 " --verify Verify journal file consistency\n"
182 , program_invocation_short_name);
187 static int parse_argv(int argc, char *argv[]) {
217 static const struct option options[] = {
218 { "help", no_argument, NULL, 'h' },
219 { "version" , no_argument, NULL, ARG_VERSION },
220 { "no-pager", no_argument, NULL, ARG_NO_PAGER },
221 { "pager-end", no_argument, NULL, 'e' },
222 { "follow", no_argument, NULL, 'f' },
223 { "force", no_argument, NULL, ARG_FORCE },
224 { "output", required_argument, NULL, 'o' },
225 { "all", no_argument, NULL, 'a' },
226 { "full", no_argument, NULL, 'l' },
227 { "no-full", no_argument, NULL, ARG_NO_FULL },
228 { "lines", optional_argument, NULL, 'n' },
229 { "no-tail", no_argument, NULL, ARG_NO_TAIL },
230 { "new-id128", no_argument, NULL, ARG_NEW_ID128 },
231 { "quiet", no_argument, NULL, 'q' },
232 { "merge", no_argument, NULL, 'm' },
233 { "boot", optional_argument, NULL, 'b' },
234 { "list-boots", no_argument, NULL, ARG_LIST_BOOTS },
235 { "this-boot", optional_argument, NULL, 'b' }, /* deprecated */
236 { "dmesg", no_argument, NULL, 'k' },
237 { "system", no_argument, NULL, ARG_SYSTEM },
238 { "user", no_argument, NULL, ARG_USER },
239 { "directory", required_argument, NULL, 'D' },
240 { "file", required_argument, NULL, ARG_FILE },
241 { "root", required_argument, NULL, ARG_ROOT },
242 { "header", no_argument, NULL, ARG_HEADER },
243 { "priority", required_argument, NULL, 'p' },
244 { "setup-keys", no_argument, NULL, ARG_SETUP_KEYS },
245 { "interval", required_argument, NULL, ARG_INTERVAL },
246 { "verify", no_argument, NULL, ARG_VERIFY },
247 { "verify-key", required_argument, NULL, ARG_VERIFY_KEY },
248 { "disk-usage", no_argument, NULL, ARG_DISK_USAGE },
249 { "cursor", required_argument, NULL, 'c' },
250 { "after-cursor", required_argument, NULL, ARG_AFTER_CURSOR },
251 { "show-cursor", no_argument, NULL, ARG_SHOW_CURSOR },
252 { "since", required_argument, NULL, ARG_SINCE },
253 { "until", required_argument, NULL, ARG_UNTIL },
254 { "unit", required_argument, NULL, 'u' },
255 { "user-unit", required_argument, NULL, ARG_USER_UNIT },
256 { "field", required_argument, NULL, 'F' },
257 { "catalog", no_argument, NULL, 'x' },
258 { "list-catalog", no_argument, NULL, ARG_LIST_CATALOG },
259 { "dump-catalog", no_argument, NULL, ARG_DUMP_CATALOG },
260 { "update-catalog", no_argument, NULL, ARG_UPDATE_CATALOG },
261 { "reverse", no_argument, NULL, 'r' },
262 { "machine", required_argument, NULL, 'M' },
271 while ((c = getopt_long(argc, argv, "hefo:aln::qmb::kD:p:c:u:F:xrM:", options, NULL)) >= 0) {
279 puts(PACKAGE_STRING);
280 puts(SYSTEMD_FEATURES);
288 arg_pager_end = true;
300 arg_output = output_mode_from_string(optarg);
301 if (arg_output < 0) {
302 log_error("Unknown output format '%s'.", optarg);
306 if (arg_output == OUTPUT_EXPORT ||
307 arg_output == OUTPUT_JSON ||
308 arg_output == OUTPUT_JSON_PRETTY ||
309 arg_output == OUTPUT_JSON_SSE ||
310 arg_output == OUTPUT_CAT)
329 r = safe_atoi(optarg, &arg_lines);
330 if (r < 0 || arg_lines < 0) {
331 log_error("Failed to parse lines '%s'", optarg);
337 /* Hmm, no argument? Maybe the next
338 * word on the command line is
339 * supposed to be the argument? Let's
340 * see if there is one, and is
341 * parsable as a positive
345 safe_atoi(argv[optind], &n) >= 0 &&
361 arg_action = ACTION_NEW_ID128;
376 arg_boot_descriptor = optarg;
377 else if (optind < argc) {
380 if (argv[optind][0] != '-' ||
381 safe_atoi(argv[optind], &boot) >= 0) {
382 arg_boot_descriptor = argv[optind];
390 arg_action = ACTION_LIST_BOOTS;
394 arg_boot = arg_dmesg = true;
398 arg_journal_type |= SD_JOURNAL_SYSTEM;
402 arg_journal_type |= SD_JOURNAL_CURRENT_USER;
406 arg_machine = optarg;
410 arg_directory = optarg;
414 r = glob_extend(&arg_file, optarg);
416 log_error("Failed to add paths: %s", strerror(-r));
429 case ARG_AFTER_CURSOR:
430 arg_after_cursor = optarg;
433 case ARG_SHOW_CURSOR:
434 arg_show_cursor = true;
438 arg_action = ACTION_PRINT_HEADER;
442 arg_action = ACTION_VERIFY;
446 arg_action = ACTION_DISK_USAGE;
455 arg_action = ACTION_SETUP_KEYS;
460 arg_action = ACTION_VERIFY;
461 arg_verify_key = optarg;
466 r = parse_sec(optarg, &arg_interval);
467 if (r < 0 || arg_interval <= 0) {
468 log_error("Failed to parse sealing key change interval: %s", optarg);
477 log_error("Forward-secure sealing not available.");
484 dots = strstr(optarg, "..");
490 a = strndup(optarg, dots - optarg);
494 from = log_level_from_string(a);
495 to = log_level_from_string(dots + 2);
498 if (from < 0 || to < 0) {
499 log_error("Failed to parse log level range %s", optarg);
506 for (i = from; i <= to; i++)
507 arg_priorities |= 1 << i;
509 for (i = to; i <= from; i++)
510 arg_priorities |= 1 << i;
516 p = log_level_from_string(optarg);
518 log_error("Unknown log level %s", optarg);
524 for (i = 0; i <= p; i++)
525 arg_priorities |= 1 << i;
532 r = parse_timestamp(optarg, &arg_since);
534 log_error("Failed to parse timestamp: %s", optarg);
537 arg_since_set = true;
541 r = parse_timestamp(optarg, &arg_until);
543 log_error("Failed to parse timestamp: %s", optarg);
546 arg_until_set = true;
550 r = strv_extend(&arg_system_units, optarg);
556 r = strv_extend(&arg_user_units, optarg);
569 case ARG_LIST_CATALOG:
570 arg_action = ACTION_LIST_CATALOG;
573 case ARG_DUMP_CATALOG:
574 arg_action = ACTION_DUMP_CATALOG;
577 case ARG_UPDATE_CATALOG:
578 arg_action = ACTION_UPDATE_CATALOG;
589 assert_not_reached("Unhandled option");
593 if (arg_follow && !arg_no_tail && arg_lines < 0)
596 if (!!arg_directory + !!arg_file + !!arg_machine > 1) {
597 log_error("Please specify either -D/--directory= or --file= or -M/--machine=, not more than one.");
601 if (arg_since_set && arg_until_set && arg_since > arg_until) {
602 log_error("--since= must be before --until=.");
606 if (!!arg_cursor + !!arg_after_cursor + !!arg_since_set > 1) {
607 log_error("Please specify only one of --since=, --cursor=, and --after-cursor.");
611 if (arg_follow && arg_reverse) {
612 log_error("Please specify either --reverse= or --follow=, not both.");
619 static int generate_new_id128(void) {
624 r = sd_id128_randomize(&id);
626 log_error("Failed to generate ID: %s", strerror(-r));
630 printf("As string:\n"
631 SD_ID128_FORMAT_STR "\n\n"
633 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x\n\n"
635 "#define MESSAGE_XYZ SD_ID128_MAKE(",
636 SD_ID128_FORMAT_VAL(id),
637 SD_ID128_FORMAT_VAL(id));
638 for (i = 0; i < 16; i++)
639 printf("%02x%s", id.bytes[i], i != 15 ? "," : "");
640 fputs(")\n\n", stdout);
642 printf("As Python constant:\n"
644 ">>> MESSAGE_XYZ = uuid.UUID('" SD_ID128_FORMAT_STR "')\n",
645 SD_ID128_FORMAT_VAL(id));
650 static int add_matches(sd_journal *j, char **args) {
655 STRV_FOREACH(i, args) {
659 r = sd_journal_add_disjunction(j);
660 else if (path_is_absolute(*i)) {
661 _cleanup_free_ char *p, *t = NULL, *t2 = NULL;
663 _cleanup_free_ char *interpreter = NULL;
666 p = canonicalize_file_name(*i);
669 if (stat(path, &st) < 0) {
670 log_error("Couldn't stat file: %m");
674 if (S_ISREG(st.st_mode) && (0111 & st.st_mode)) {
675 if (executable_is_script(path, &interpreter) > 0) {
676 _cleanup_free_ char *comm;
678 comm = strndup(basename(path), 15);
682 t = strappend("_COMM=", comm);
684 /* Append _EXE only if the interpreter is not a link.
685 Otherwise it might be outdated often. */
686 if (lstat(interpreter, &st) == 0 &&
687 !S_ISLNK(st.st_mode)) {
688 t2 = strappend("_EXE=", interpreter);
693 t = strappend("_EXE=", path);
694 } else if (S_ISCHR(st.st_mode))
695 asprintf(&t, "_KERNEL_DEVICE=c%u:%u", major(st.st_rdev), minor(st.st_rdev));
696 else if (S_ISBLK(st.st_mode))
697 asprintf(&t, "_KERNEL_DEVICE=b%u:%u", major(st.st_rdev), minor(st.st_rdev));
699 log_error("File is neither a device node, nor regular file, nor executable: %s", *i);
706 r = sd_journal_add_match(j, t, 0);
708 r = sd_journal_add_match(j, t2, 0);
710 r = sd_journal_add_match(j, *i, 0);
713 log_error("Failed to add match '%s': %s", *i, strerror(-r));
721 static int boot_id_cmp(const void *a, const void *b) {
724 _a = ((const boot_id_t *)a)->first;
725 _b = ((const boot_id_t *)b)->first;
727 return _a < _b ? -1 : (_a > _b ? 1 : 0);
730 static int list_boots(sd_journal *j) {
733 unsigned int count = 0;
735 size_t length, allocated = 0;
737 _cleanup_free_ boot_id_t *all_ids = NULL;
739 r = sd_journal_query_unique(j, "_BOOT_ID");
743 SD_JOURNAL_FOREACH_UNIQUE(j, data, length) {
744 if (length < strlen("_BOOT_ID="))
747 if (!GREEDY_REALLOC(all_ids, allocated, count + 1))
750 id = &all_ids[count];
752 r = sd_id128_from_string(((const char *)data) + strlen("_BOOT_ID="), &id->id);
756 r = sd_journal_add_match(j, data, length);
760 r = sd_journal_seek_head(j);
764 r = sd_journal_next(j);
770 r = sd_journal_get_realtime_usec(j, &id->first);
774 r = sd_journal_seek_tail(j);
778 r = sd_journal_previous(j);
784 r = sd_journal_get_realtime_usec(j, &id->last);
790 sd_journal_flush_matches(j);
793 qsort_safe(all_ids, count, sizeof(boot_id_t), boot_id_cmp);
795 /* numbers are one less, but we need an extra char for the sign */
796 w = DECIMAL_STR_WIDTH(count - 1) + 1;
798 for (id = all_ids, i = 0; id < all_ids + count; id++, i++) {
799 char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX];
801 printf("% *i " SD_ID128_FORMAT_STR " %s—%s\n",
803 SD_ID128_FORMAT_VAL(id->id),
804 format_timestamp(a, sizeof(a), id->first),
805 format_timestamp(b, sizeof(b), id->last));
811 static int get_relative_boot_id(sd_journal *j, sd_id128_t *boot_id, int relative) {
814 unsigned int count = 0;
815 size_t length, allocated = 0;
816 boot_id_t ref_boot_id = {SD_ID128_NULL}, *id;
817 _cleanup_free_ boot_id_t *all_ids = NULL;
822 if (relative == 0 && !sd_id128_equal(*boot_id, SD_ID128_NULL))
825 r = sd_journal_query_unique(j, "_BOOT_ID");
829 SD_JOURNAL_FOREACH_UNIQUE(j, data, length) {
830 if (length < strlen("_BOOT_ID="))
833 if (!GREEDY_REALLOC(all_ids, allocated, count + 1))
836 id = &all_ids[count];
838 r = sd_id128_from_string(((const char *)data) + strlen("_BOOT_ID="), &id->id);
842 r = sd_journal_add_match(j, data, length);
846 r = sd_journal_seek_head(j);
850 r = sd_journal_next(j);
856 r = sd_journal_get_realtime_usec(j, &id->first);
860 if (sd_id128_equal(id->id, *boot_id))
865 sd_journal_flush_matches(j);
868 qsort_safe(all_ids, count, sizeof(boot_id_t), boot_id_cmp);
870 if (sd_id128_equal(*boot_id, SD_ID128_NULL)) {
871 if (relative > (int) count || relative <= -(int)count)
872 return -EADDRNOTAVAIL;
874 *boot_id = all_ids[(relative <= 0)*count + relative - 1].id;
876 id = bsearch(&ref_boot_id, all_ids, count, sizeof(boot_id_t), boot_id_cmp);
879 relative <= 0 ? (id - all_ids) + relative < 0 :
880 (id - all_ids) + relative >= (int) count)
881 return -EADDRNOTAVAIL;
883 *boot_id = (id + relative)->id;
889 static int add_boot(sd_journal *j) {
890 char match[9+32+1] = "_BOOT_ID=";
892 sd_id128_t boot_id = SD_ID128_NULL;
900 if (!arg_boot_descriptor)
901 return add_match_this_boot(j, arg_machine);
903 if (strlen(arg_boot_descriptor) >= 32) {
904 char tmp = arg_boot_descriptor[32];
905 arg_boot_descriptor[32] = '\0';
906 r = sd_id128_from_string(arg_boot_descriptor, &boot_id);
907 arg_boot_descriptor[32] = tmp;
910 log_error("Failed to parse boot ID '%.32s': %s",
911 arg_boot_descriptor, strerror(-r));
915 offset = arg_boot_descriptor + 32;
917 if (*offset && *offset != '-' && *offset != '+') {
918 log_error("Relative boot ID offset must start with a '+' or a '-', found '%s' ", offset);
922 offset = arg_boot_descriptor;
925 r = safe_atoi(offset, &relative);
927 log_error("Failed to parse relative boot ID number '%s'", offset);
932 r = get_relative_boot_id(j, &boot_id, relative);
934 if (sd_id128_equal(boot_id, SD_ID128_NULL))
935 log_error("Failed to look up boot %+d: %s", relative, strerror(-r));
937 log_error("Failed to look up boot ID "SD_ID128_FORMAT_STR"%+d: %s",
938 SD_ID128_FORMAT_VAL(boot_id), relative, strerror(-r));
942 sd_id128_to_string(boot_id, match + 9);
944 r = sd_journal_add_match(j, match, sizeof(match) - 1);
946 log_error("Failed to add match: %s", strerror(-r));
950 r = sd_journal_add_conjunction(j);
957 static int add_dmesg(sd_journal *j) {
964 r = sd_journal_add_match(j, "_TRANSPORT=kernel", strlen("_TRANSPORT=kernel"));
966 log_error("Failed to add match: %s", strerror(-r));
970 r = sd_journal_add_conjunction(j);
977 static int add_units(sd_journal *j) {
978 _cleanup_free_ char *u = NULL;
984 STRV_FOREACH(i, arg_system_units) {
985 u = unit_name_mangle(*i);
988 r = add_matches_for_unit(j, u);
991 r = sd_journal_add_disjunction(j);
996 STRV_FOREACH(i, arg_user_units) {
997 u = unit_name_mangle(*i);
1001 r = add_matches_for_user_unit(j, u, getuid());
1005 r = sd_journal_add_disjunction(j);
1011 r = sd_journal_add_conjunction(j);
1018 static int add_priorities(sd_journal *j) {
1019 char match[] = "PRIORITY=0";
1023 if (arg_priorities == 0xFF)
1026 for (i = LOG_EMERG; i <= LOG_DEBUG; i++)
1027 if (arg_priorities & (1 << i)) {
1028 match[sizeof(match)-2] = '0' + i;
1030 r = sd_journal_add_match(j, match, strlen(match));
1032 log_error("Failed to add match: %s", strerror(-r));
1037 r = sd_journal_add_conjunction(j);
1044 static int setup_keys(void) {
1046 size_t mpk_size, seed_size, state_size, i;
1047 uint8_t *mpk, *seed, *state;
1049 int fd = -1, r, attr = 0;
1050 sd_id128_t machine, boot;
1051 char *p = NULL, *k = NULL;
1056 r = stat("/var/log/journal", &st);
1057 if (r < 0 && errno != ENOENT && errno != ENOTDIR) {
1058 log_error("stat(\"%s\") failed: %m", "/var/log/journal");
1062 if (r < 0 || !S_ISDIR(st.st_mode)) {
1063 log_error("%s is not a directory, must be using persistent logging for FSS.",
1064 "/var/log/journal");
1065 return r < 0 ? -errno : -ENOTDIR;
1068 r = sd_id128_get_machine(&machine);
1070 log_error("Failed to get machine ID: %s", strerror(-r));
1074 r = sd_id128_get_boot(&boot);
1076 log_error("Failed to get boot ID: %s", strerror(-r));
1080 if (asprintf(&p, "/var/log/journal/" SD_ID128_FORMAT_STR "/fss",
1081 SD_ID128_FORMAT_VAL(machine)) < 0)
1084 if (access(p, F_OK) >= 0) {
1088 log_error("unlink(\"%s\") failed: %m", p);
1093 log_error("Sealing key file %s exists already. (--force to recreate)", p);
1099 if (asprintf(&k, "/var/log/journal/" SD_ID128_FORMAT_STR "/fss.tmp.XXXXXX",
1100 SD_ID128_FORMAT_VAL(machine)) < 0) {
1105 mpk_size = FSPRG_mskinbytes(FSPRG_RECOMMENDED_SECPAR);
1106 mpk = alloca(mpk_size);
1108 seed_size = FSPRG_RECOMMENDED_SEEDLEN;
1109 seed = alloca(seed_size);
1111 state_size = FSPRG_stateinbytes(FSPRG_RECOMMENDED_SECPAR);
1112 state = alloca(state_size);
1114 fd = open("/dev/random", O_RDONLY|O_CLOEXEC|O_NOCTTY);
1116 log_error("Failed to open /dev/random: %m");
1121 log_info("Generating seed...");
1122 l = loop_read(fd, seed, seed_size, true);
1123 if (l < 0 || (size_t) l != seed_size) {
1124 log_error("Failed to read random seed: %s", strerror(EIO));
1129 log_info("Generating key pair...");
1130 FSPRG_GenMK(NULL, mpk, seed, seed_size, FSPRG_RECOMMENDED_SECPAR);
1132 log_info("Generating sealing key...");
1133 FSPRG_GenState0(state, mpk, seed, seed_size);
1135 assert(arg_interval > 0);
1137 n = now(CLOCK_REALTIME);
1140 close_nointr_nofail(fd);
1141 fd = mkostemp(k, O_WRONLY|O_CLOEXEC|O_NOCTTY);
1143 log_error("Failed to open %s: %m", k);
1148 /* Enable secure remove, exclusion from dump, synchronous
1149 * writing and in-place updating */
1150 if (ioctl(fd, FS_IOC_GETFLAGS, &attr) < 0)
1151 log_warning("FS_IOC_GETFLAGS failed: %m");
1153 attr |= FS_SECRM_FL|FS_NODUMP_FL|FS_SYNC_FL|FS_NOCOW_FL;
1155 if (ioctl(fd, FS_IOC_SETFLAGS, &attr) < 0)
1156 log_warning("FS_IOC_SETFLAGS failed: %m");
1159 memcpy(h.signature, "KSHHRHLP", 8);
1160 h.machine_id = machine;
1162 h.header_size = htole64(sizeof(h));
1163 h.start_usec = htole64(n * arg_interval);
1164 h.interval_usec = htole64(arg_interval);
1165 h.fsprg_secpar = htole16(FSPRG_RECOMMENDED_SECPAR);
1166 h.fsprg_state_size = htole64(state_size);
1168 l = loop_write(fd, &h, sizeof(h), false);
1169 if (l < 0 || (size_t) l != sizeof(h)) {
1170 log_error("Failed to write header: %s", strerror(EIO));
1175 l = loop_write(fd, state, state_size, false);
1176 if (l < 0 || (size_t) l != state_size) {
1177 log_error("Failed to write state: %s", strerror(EIO));
1182 if (link(k, p) < 0) {
1183 log_error("Failed to link file: %m");
1191 "The new key pair has been generated. The " ANSI_HIGHLIGHT_ON "secret sealing key" ANSI_HIGHLIGHT_OFF " has been written to\n"
1192 "the following local file. This key file is automatically updated when the\n"
1193 "sealing key is advanced. It should not be used on multiple hosts.\n"
1197 "Please write down the following " ANSI_HIGHLIGHT_ON "secret verification key" ANSI_HIGHLIGHT_OFF ". It should be stored\n"
1198 "at a safe location and should not be saved locally on disk.\n"
1199 "\n\t" ANSI_HIGHLIGHT_RED_ON, p);
1202 for (i = 0; i < seed_size; i++) {
1203 if (i > 0 && i % 3 == 0)
1205 printf("%02x", ((uint8_t*) seed)[i]);
1208 printf("/%llx-%llx\n", (unsigned long long) n, (unsigned long long) arg_interval);
1211 char tsb[FORMAT_TIMESPAN_MAX], *hn;
1214 ANSI_HIGHLIGHT_OFF "\n"
1215 "The sealing key is automatically changed every %s.\n",
1216 format_timespan(tsb, sizeof(tsb), arg_interval, 0));
1218 hn = gethostname_malloc();
1221 hostname_cleanup(hn, false);
1222 fprintf(stderr, "\nThe keys have been generated for host %s/" SD_ID128_FORMAT_STR ".\n", hn, SD_ID128_FORMAT_VAL(machine));
1224 fprintf(stderr, "\nThe keys have been generated for host " SD_ID128_FORMAT_STR ".\n", SD_ID128_FORMAT_VAL(machine));
1226 #ifdef HAVE_QRENCODE
1227 /* If this is not an UTF-8 system don't print any QR codes */
1228 if (is_locale_utf8()) {
1229 fputs("\nTo transfer the verification key to your phone please scan the QR code below:\n\n", stderr);
1230 print_qr_code(stderr, seed, seed_size, n, arg_interval, hn, machine);
1240 close_nointr_nofail(fd);
1251 log_error("Forward-secure sealing not available.");
1256 static int verify(sd_journal *j) {
1263 log_show_color(true);
1265 HASHMAP_FOREACH(f, j->files, i) {
1267 usec_t first, validated, last;
1270 if (!arg_verify_key && JOURNAL_HEADER_SEALED(f->header))
1271 log_notice("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path);
1274 k = journal_file_verify(f, arg_verify_key, &first, &validated, &last, true);
1276 /* If the key was invalid give up right-away. */
1279 log_warning("FAIL: %s (%s)", f->path, strerror(-k));
1282 char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX], c[FORMAT_TIMESPAN_MAX];
1283 log_info("PASS: %s", f->path);
1285 if (arg_verify_key && JOURNAL_HEADER_SEALED(f->header)) {
1286 if (validated > 0) {
1287 log_info("=> Validated from %s to %s, final %s entries not sealed.",
1288 format_timestamp(a, sizeof(a), first),
1289 format_timestamp(b, sizeof(b), validated),
1290 format_timespan(c, sizeof(c), last > validated ? last - validated : 0, 0));
1291 } else if (last > 0)
1292 log_info("=> No sealing yet, %s of entries not sealed.",
1293 format_timespan(c, sizeof(c), last - first, 0));
1295 log_info("=> No sealing yet, no entries in file.");
1304 static int access_check_var_log_journal(sd_journal *j) {
1305 _cleanup_strv_free_ char **g = NULL;
1311 have_access = in_group("systemd-journal") > 0;
1314 /* Let's enumerate all groups from the default ACL of
1315 * the directory, which generally should allow access
1316 * to most journal files too */
1317 r = search_acl_groups(&g, "/var/log/journal/", &have_access);
1324 if (strv_isempty(g))
1325 log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
1326 " Users in the 'systemd-journal' group can see all messages. Pass -q to\n"
1327 " turn off this notice.");
1329 _cleanup_free_ char *s = NULL;
1331 r = strv_extend(&g, "systemd-journal");
1338 s = strv_join(g, "', '");
1342 log_notice("Hint: You are currently not seeing messages from other users and the system.\n"
1343 " Users in the groups '%s' can see all messages.\n"
1344 " Pass -q to turn off this notice.", s);
1352 static int access_check(sd_journal *j) {
1359 if (set_isempty(j->errors)) {
1360 if (hashmap_isempty(j->files))
1361 log_notice("No journal files were found.");
1365 if (set_contains(j->errors, INT_TO_PTR(-EACCES))) {
1367 /* If /var/log/journal doesn't even exist,
1368 * unprivileged users have no access at all */
1369 if (access("/var/log/journal", F_OK) < 0 &&
1371 in_group("systemd-journal") <= 0) {
1372 log_error("Unprivileged users cannot access messages, unless persistent log storage is\n"
1373 "enabled. Users in the 'systemd-journal' group may always access messages.");
1377 /* If /var/log/journal exists, try to pring a nice
1378 notice if the user lacks access to it */
1379 if (!arg_quiet && geteuid() != 0) {
1380 r = access_check_var_log_journal(j);
1385 if (geteuid() != 0 && in_group("systemd-journal") <= 0) {
1386 log_error("Unprivileged users cannot access messages. Users in the 'systemd-journal' group\n"
1387 "group may access messages.");
1392 if (hashmap_isempty(j->files)) {
1393 log_error("No journal files were opened due to insufficient permissions.");
1398 SET_FOREACH(code, j->errors, it) {
1401 err = -PTR_TO_INT(code);
1405 log_warning("Error was encountered while opening journal files: %s",
1412 int main(int argc, char *argv[]) {
1414 _cleanup_journal_close_ sd_journal *j = NULL;
1415 bool need_seek = false;
1416 sd_id128_t previous_boot_id;
1417 bool previous_boot_id_valid = false, first_line = true;
1419 bool ellipsized = false;
1421 setlocale(LC_ALL, "");
1422 log_parse_environment();
1425 r = parse_argv(argc, argv);
1429 signal(SIGWINCH, columns_lines_cache_reset);
1431 if (arg_action == ACTION_NEW_ID128) {
1432 r = generate_new_id128();
1436 if (arg_action == ACTION_SETUP_KEYS) {
1441 if (arg_action == ACTION_UPDATE_CATALOG ||
1442 arg_action == ACTION_LIST_CATALOG ||
1443 arg_action == ACTION_DUMP_CATALOG) {
1445 const char* database = CATALOG_DATABASE;
1446 _cleanup_free_ char *copy = NULL;
1448 copy = strjoin(arg_root, "/", CATALOG_DATABASE, NULL);
1453 path_kill_slashes(copy);
1457 if (arg_action == ACTION_UPDATE_CATALOG) {
1458 r = catalog_update(database, arg_root, catalog_file_dirs);
1460 log_error("Failed to list catalog: %s", strerror(-r));
1462 bool oneline = arg_action == ACTION_LIST_CATALOG;
1465 r = catalog_list_items(stdout, database,
1466 oneline, argv + optind);
1468 r = catalog_list(stdout, database, oneline);
1470 log_error("Failed to list catalog: %s", strerror(-r));
1477 r = sd_journal_open_directory(&j, arg_directory, arg_journal_type);
1479 r = sd_journal_open_files(&j, (const char**) arg_file, 0);
1480 else if (arg_machine)
1481 r = sd_journal_open_container(&j, arg_machine, 0);
1483 r = sd_journal_open(&j, !arg_merge*SD_JOURNAL_LOCAL_ONLY + arg_journal_type);
1485 log_error("Failed to open %s: %s",
1486 arg_directory ? arg_directory : arg_file ? "files" : "journal",
1488 return EXIT_FAILURE;
1491 r = access_check(j);
1493 return EXIT_FAILURE;
1495 if (arg_action == ACTION_VERIFY) {
1500 if (arg_action == ACTION_PRINT_HEADER) {
1501 journal_print_header(j);
1502 return EXIT_SUCCESS;
1505 if (arg_action == ACTION_DISK_USAGE) {
1507 char sbytes[FORMAT_BYTES_MAX];
1509 r = sd_journal_get_usage(j, &bytes);
1511 return EXIT_FAILURE;
1513 printf("Journals take up %s on disk.\n",
1514 format_bytes(sbytes, sizeof(sbytes), bytes));
1515 return EXIT_SUCCESS;
1518 if (arg_action == ACTION_LIST_BOOTS) {
1523 /* add_boot() must be called first!
1524 * It may need to seek the journal to find parent boot IDs. */
1527 return EXIT_FAILURE;
1531 return EXIT_FAILURE;
1534 strv_free(arg_system_units);
1535 strv_free(arg_user_units);
1538 return EXIT_FAILURE;
1540 r = add_priorities(j);
1542 return EXIT_FAILURE;
1544 r = add_matches(j, argv + optind);
1546 return EXIT_FAILURE;
1548 if (_unlikely_(log_get_max_level() >= LOG_PRI(LOG_DEBUG))) {
1549 _cleanup_free_ char *filter;
1551 filter = journal_make_match_string(j);
1552 log_debug("Journal filter: %s", filter);
1559 r = sd_journal_set_data_threshold(j, 0);
1561 log_error("Failed to unset data size threshold");
1562 return EXIT_FAILURE;
1565 r = sd_journal_query_unique(j, arg_field);
1567 log_error("Failed to query unique data objects: %s", strerror(-r));
1568 return EXIT_FAILURE;
1571 SD_JOURNAL_FOREACH_UNIQUE(j, data, size) {
1574 if (arg_lines >= 0 && n_shown >= arg_lines)
1577 eq = memchr(data, '=', size);
1579 printf("%.*s\n", (int) (size - ((const uint8_t*) eq - (const uint8_t*) data + 1)), (const char*) eq + 1);
1581 printf("%.*s\n", (int) size, (const char*) data);
1586 return EXIT_SUCCESS;
1589 /* Opening the fd now means the first sd_journal_wait() will actually wait */
1591 r = sd_journal_get_fd(j);
1593 return EXIT_FAILURE;
1596 if (arg_cursor || arg_after_cursor) {
1597 r = sd_journal_seek_cursor(j, arg_cursor ? arg_cursor : arg_after_cursor);
1599 log_error("Failed to seek to cursor: %s", strerror(-r));
1600 return EXIT_FAILURE;
1603 r = sd_journal_next_skip(j, 1 + !!arg_after_cursor);
1605 r = sd_journal_previous_skip(j, 1 + !!arg_after_cursor);
1607 if (arg_after_cursor && r < 2 && !arg_follow)
1608 /* We couldn't find the next entry after the cursor. */
1611 } else if (arg_since_set && !arg_reverse) {
1612 r = sd_journal_seek_realtime_usec(j, arg_since);
1614 log_error("Failed to seek to date: %s", strerror(-r));
1615 return EXIT_FAILURE;
1617 r = sd_journal_next(j);
1619 } else if (arg_until_set && arg_reverse) {
1620 r = sd_journal_seek_realtime_usec(j, arg_until);
1622 log_error("Failed to seek to date: %s", strerror(-r));
1623 return EXIT_FAILURE;
1625 r = sd_journal_previous(j);
1627 } else if (arg_lines >= 0) {
1628 r = sd_journal_seek_tail(j);
1630 log_error("Failed to seek to tail: %s", strerror(-r));
1631 return EXIT_FAILURE;
1634 r = sd_journal_previous_skip(j, arg_lines);
1636 } else if (arg_reverse) {
1637 r = sd_journal_seek_tail(j);
1639 log_error("Failed to seek to tail: %s", strerror(-r));
1640 return EXIT_FAILURE;
1643 r = sd_journal_previous(j);
1646 r = sd_journal_seek_head(j);
1648 log_error("Failed to seek to head: %s", strerror(-r));
1649 return EXIT_FAILURE;
1652 r = sd_journal_next(j);
1656 log_error("Failed to iterate through journal: %s", strerror(-r));
1657 return EXIT_FAILURE;
1661 pager_open_if_enabled();
1665 char start_buf[FORMAT_TIMESTAMP_MAX], end_buf[FORMAT_TIMESTAMP_MAX];
1667 r = sd_journal_get_cutoff_realtime_usec(j, &start, &end);
1669 log_error("Failed to get cutoff: %s", strerror(-r));
1675 printf("-- Logs begin at %s. --\n",
1676 format_timestamp(start_buf, sizeof(start_buf), start));
1678 printf("-- Logs begin at %s, end at %s. --\n",
1679 format_timestamp(start_buf, sizeof(start_buf), start),
1680 format_timestamp(end_buf, sizeof(end_buf), end));
1685 while (arg_lines < 0 || n_shown < arg_lines || (arg_follow && !first_line)) {
1690 r = sd_journal_next(j);
1692 r = sd_journal_previous(j);
1694 log_error("Failed to iterate through journal: %s", strerror(-r));
1701 if (arg_until_set && !arg_reverse) {
1704 r = sd_journal_get_realtime_usec(j, &usec);
1706 log_error("Failed to determine timestamp: %s", strerror(-r));
1709 if (usec > arg_until)
1713 if (arg_since_set && arg_reverse) {
1716 r = sd_journal_get_realtime_usec(j, &usec);
1718 log_error("Failed to determine timestamp: %s", strerror(-r));
1721 if (usec < arg_since)
1728 r = sd_journal_get_monotonic_usec(j, NULL, &boot_id);
1730 if (previous_boot_id_valid &&
1731 !sd_id128_equal(boot_id, previous_boot_id))
1732 printf("%s-- Reboot --%s\n",
1733 ansi_highlight(), ansi_highlight_off());
1735 previous_boot_id = boot_id;
1736 previous_boot_id_valid = true;
1741 arg_all * OUTPUT_SHOW_ALL |
1742 arg_full * OUTPUT_FULL_WIDTH |
1743 on_tty() * OUTPUT_COLOR |
1744 arg_catalog * OUTPUT_CATALOG;
1746 r = output_journal(stdout, j, arg_output, 0, flags, &ellipsized);
1748 if (r == -EADDRNOTAVAIL)
1750 else if (r < 0 || ferror(stdout))
1757 if (arg_show_cursor) {
1758 _cleanup_free_ char *cursor = NULL;
1760 r = sd_journal_get_cursor(j, &cursor);
1761 if (r < 0 && r != -EADDRNOTAVAIL)
1762 log_error("Failed to get cursor: %s", strerror(-r));
1764 printf("-- cursor: %s\n", cursor);
1770 r = sd_journal_wait(j, (uint64_t) -1);
1772 log_error("Couldn't wait for journal event: %s", strerror(-r));
1782 return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;