#include <time.h>
#include <getopt.h>
#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <linux/fs.h>
#include <systemd/sd-journal.h>
#include "journal-def.h"
#include "journal-verify.h"
#include "journal-authenticate.h"
+#include "journal-qrcode.h"
#include "fsprg.h"
#define DEFAULT_FSS_INTERVAL_USEC (15*USEC_PER_MINUTE)
static int arg_lines = -1;
static bool arg_no_tail = false;
static bool arg_quiet = false;
-static bool arg_local = false;
+static bool arg_merge = false;
static bool arg_this_boot = false;
static const char *arg_directory = NULL;
static int arg_priorities = 0xFF;
static const char *arg_verify_key = NULL;
+#ifdef HAVE_GCRYPT
static usec_t arg_interval = DEFAULT_FSS_INTERVAL_USEC;
+#endif
static enum {
ACTION_SHOW,
" -n --lines=INTEGER Journal entries to show\n"
" --no-tail Show all lines, even in follow mode\n"
" -o --output=STRING Change journal output mode (short, short-monotonic,\n"
- " verbose, export, json, cat)\n"
+ " verbose, export, json, json-pretty, cat)\n"
" -q --quiet Don't show privilege warning\n"
- " -l --local Only local entries\n"
+ " -m --merge Show entries from all available journals\n"
" -b --this-boot Show data only from current boot\n"
" -D --directory=PATH Show journal files from directory\n"
" -p --priority=RANGE Show only messages within the specified priority range\n\n"
"Commands:\n"
" --new-id128 Generate a new 128 Bit ID\n"
" --header Show journal header information\n"
+#ifdef HAVE_GCRYPT
" --setup-keys Generate new FSS key pair\n"
" --interval=TIME Time interval for changing the FSS sealing key\n"
" --verify Verify journal file consistency\n"
- " --verify-key=KEY Specify FSS verification key\n",
- program_invocation_short_name);
+ " --verify-key=KEY Specify FSS verification key\n"
+#endif
+ , program_invocation_short_name);
return 0;
}
{ "no-tail", no_argument, NULL, ARG_NO_TAIL },
{ "new-id128", no_argument, NULL, ARG_NEW_ID128 },
{ "quiet", no_argument, NULL, 'q' },
- { "local", no_argument, NULL, 'l' },
+ { "merge", no_argument, NULL, 'm' },
{ "this-boot", no_argument, NULL, 'b' },
{ "directory", required_argument, NULL, 'D' },
{ "header", no_argument, NULL, ARG_HEADER },
assert(argc >= 0);
assert(argv);
- while ((c = getopt_long(argc, argv, "hfo:an:qlbD:p:", options, NULL)) >= 0) {
+ while ((c = getopt_long(argc, argv, "hfo:an:qmbD:p:", options, NULL)) >= 0) {
switch (c) {
arg_quiet = true;
break;
- case 'l':
- arg_local = true;
+ case 'm':
+ arg_merge = true;
break;
case 'b':
arg_action = ACTION_PRINT_HEADER;
break;
+ case ARG_VERIFY:
+ arg_action = ACTION_VERIFY;
+ break;
+
+#ifdef HAVE_GCRYPT
case ARG_SETUP_KEYS:
arg_action = ACTION_SETUP_KEYS;
break;
- case ARG_VERIFY:
- arg_action = ACTION_VERIFY;
- break;
case ARG_VERIFY_KEY:
arg_action = ACTION_VERIFY;
arg_verify_key = optarg;
+ arg_merge = false;
break;
case ARG_INTERVAL:
return -EINVAL;
}
break;
+#else
+ case ARG_SETUP_KEYS:
+ case ARG_VERIFY_KEY:
+ case ARG_INTERVAL:
+ log_error("Forward-secure sealing not available.");
+ return -ENOTSUP;
+#endif
case 'p': {
const char *dots;
size_t mpk_size, seed_size, state_size, i;
uint8_t *mpk, *seed, *state;
ssize_t l;
- int fd = -1, r;
+ int fd = -1, r, attr = 0;
sd_id128_t machine, boot;
char *p = NULL, *k = NULL;
struct FSSHeader h;
return log_oom();
if (access(p, F_OK) >= 0) {
- log_error("Evolving key file %s exists already.", p);
+ log_error("Sealing key file %s exists already.", p);
r = -EEXIST;
goto finish;
}
goto finish;
}
+ /* Enable secure remove, exclusion from dump, synchronous
+ * writing and in-place updating */
+ if (ioctl(fd, FS_IOC_GETFLAGS, &attr) < 0)
+ log_warning("FS_IOC_GETFLAGS failed: %m");
+
+ attr |= FS_SECRM_FL|FS_NODUMP_FL|FS_SYNC_FL|FS_NOCOW_FL;
+
+ if (ioctl(fd, FS_IOC_SETFLAGS, &attr) < 0)
+ log_warning("FS_IOC_SETFLAGS failed: %m");
+
zero(h);
memcpy(h.signature, "KSHHRHLP", 8);
h.machine_id = machine;
fprintf(stderr,
"\n"
"The new key pair has been generated. The " ANSI_HIGHLIGHT_ON "secret sealing key" ANSI_HIGHLIGHT_OFF " has been written to\n"
- "the following local file. It should not be used on multiple hosts.\n"
+ "the following local file. This key file is automatically updated when the\n"
+ "sealing key is advanced. It should not be used on multiple hosts.\n"
"\n"
"\t%s\n"
"\n"
printf("/%llx-%llx\n", (unsigned long long) n, (unsigned long long) arg_interval);
if (isatty(STDOUT_FILENO)) {
- char tsb[FORMAT_TIMESPAN_MAX];
+ char tsb[FORMAT_TIMESPAN_MAX], *hn;
fprintf(stderr,
ANSI_HIGHLIGHT_OFF "\n"
"The sealing key is automatically changed every %s.\n",
format_timespan(tsb, sizeof(tsb), arg_interval));
+
+ hn = gethostname_malloc();
+
+ if (hn) {
+ hostname_cleanup(hn);
+ fprintf(stderr, "\nThe keys have been generated for host %s/" SD_ID128_FORMAT_STR ".\n", hn, SD_ID128_FORMAT_VAL(machine));
+ } else
+ fprintf(stderr, "\nThe keys have been generated for host " SD_ID128_FORMAT_STR ".\n", SD_ID128_FORMAT_VAL(machine));
+
+#ifdef HAVE_QRENCODE
+ fprintf(stderr, "\nTo transfer the verification key to your phone please scan the QR code below:\n\n");
+ print_qr_code(stderr, seed, seed_size, n, arg_interval, hn, machine);
+#endif
+ free(hn);
}
r = 0;
return r;
#else
- log_error("Forward-secure journal verification not available.");
+ log_error("Forward-secure sealing not available.");
+ return -ENOTSUP;
#endif
}
assert(j);
+ log_show_color(true);
+
HASHMAP_FOREACH(f, j->files, i) {
int k;
usec_t from, to, total;
#ifdef HAVE_GCRYPT
- if (!arg_verify_key && journal_file_fss_enabled(f))
- log_warning("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path);
+ if (!arg_verify_key && JOURNAL_HEADER_SEALED(f->header))
+ log_notice("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path);
#endif
- k = journal_file_verify(f, arg_verify_key, &from, &to, &total);
+ k = journal_file_verify(f, arg_verify_key, &from, &to, &total, true);
if (k == -EINVAL) {
/* If the key was invalid give up right-away. */
return k;
char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX], c[FORMAT_TIMESPAN_MAX];
log_info("PASS: %s", f->path);
- if (journal_file_fss_enabled(f))
- log_info("=> Validated from %s to %s, %s missing",
- format_timestamp(a, sizeof(a), from),
- format_timestamp(b, sizeof(b), to),
- format_timespan(c, sizeof(c), total > to ? total - to : 0));
+ if (arg_verify_key && JOURNAL_HEADER_SEALED(f->header)) {
+ if (from > 0) {
+ log_info("=> Validated from %s to %s, final %s entries not sealed.",
+ format_timestamp(a, sizeof(a), from),
+ format_timestamp(b, sizeof(b), to),
+ format_timespan(c, sizeof(c), total > to ? total - to : 0));
+ } else if (total > 0)
+ log_info("=> No sealing yet, %s of entries not sealed.",
+ format_timespan(c, sizeof(c), total));
+ else
+ log_info("=> No sealing yet, no entries in file.");
+ }
}
}
if (arg_directory)
r = sd_journal_open_directory(&j, arg_directory, 0);
else
- r = sd_journal_open(&j, arg_local ? SD_JOURNAL_LOCAL_ONLY : 0);
+ r = sd_journal_open(&j, arg_merge ? 0 : SD_JOURNAL_LOCAL_ONLY);
if (r < 0) {
log_error("Failed to open journal: %s", strerror(-r));
}
#ifdef HAVE_ACL
+ if (access("/var/log/journal", F_OK) < 0 && geteuid() != 0 && in_group("adm") <= 0) {
+ log_error("Unprivileged users can't see messages unless persistent log storage is enabled. Users in the group 'adm' can always see messages.");
+ r = -EACCES;
+ goto finish;
+ }
+
if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0)
- log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this message off.");
+ log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this notice off.");
+#else
+ if (geteuid() != 0 && in_group("adm") <= 0) {
+ log_error("No access to messages. Only users in the group 'adm' can see messages.");
+ r = -EACCES;
+ goto finish;
+ }
#endif
r = add_this_boot(j);
on_tty();
have_pager = !arg_no_pager && !arg_follow && pager_open();
- if (arg_output == OUTPUT_JSON) {
- fputc('[', stdout);
- fflush(stdout);
- }
-
for (;;) {
for (;;) {
- sd_id128_t boot_id;
int flags =
arg_show_all * OUTPUT_SHOW_ALL |
have_pager * OUTPUT_FULL_WIDTH |
if (r == 0)
break;
- r = sd_journal_get_monotonic_usec(j, NULL, &boot_id);
- if (r >= 0) {
- if (previous_boot_id_valid &&
- !sd_id128_equal(boot_id, previous_boot_id))
- printf(ANSI_HIGHLIGHT_ON "----- Reboot -----" ANSI_HIGHLIGHT_OFF "\n");
+ if (!arg_merge) {
+ sd_id128_t boot_id;
+
+ r = sd_journal_get_monotonic_usec(j, NULL, &boot_id);
+ if (r >= 0) {
+ if (previous_boot_id_valid &&
+ !sd_id128_equal(boot_id, previous_boot_id))
+ printf(ANSI_HIGHLIGHT_ON "----- Reboot -----" ANSI_HIGHLIGHT_OFF "\n");
- previous_boot_id = boot_id;
- previous_boot_id_valid = true;
+ previous_boot_id = boot_id;
+ previous_boot_id_valid = true;
+ }
}
line ++;
}
}
- if (arg_output == OUTPUT_JSON)
- fputs("\n]\n", stdout);
-
finish:
if (j)
sd_journal_close(j);