mkdir: append _label to all mkdir() calls that explicitly set the selinux context

[elogind.git] / src / journal / journald.c

diff --git a/src/journal/journald.c b/src/journal/journald.c
index 547c4ecc218e3935e65902d342ebb8d6eca69753..e0e7cce1227d4aea19cc2934939efd56ae6445ee 100644 (file)
--- a/src/journal/journald.c
+++ b/src/journal/journald.c
@@ -31,10 +31,13 @@
 #include <sys/statvfs.h>
 
 #include <systemd/sd-journal.h>
-#include <systemd/sd-login.h>
 #include <systemd/sd-messages.h>
 #include <systemd/sd-daemon.h>
 
+#ifdef HAVE_LOGIND
+#include <systemd/sd-login.h>
+#endif
+
 #include "mkdir.h"
 #include "hashmap.h"
 #include "journal-file.h"
@@ -479,7 +482,9 @@ static void dispatch_message_real(
 
         if (ucred) {
                 uint32_t audit;
+#ifdef HAVE_LOGIND
                 uid_t owner;
+#endif
 
                 realuid = ucred->uid;
 
@@ -538,6 +543,7 @@ static void dispatch_message_real(
                                 IOVEC_SET_STRING(iovec[n++], cgroup);
                 }
 
+#ifdef HAVE_LOGIND
                 if (sd_pid_get_session(ucred->pid, &t) >= 0) {
                         session = strappend("_SYSTEMD_SESSION=", t);
                         free(t);
@@ -546,7 +552,12 @@ static void dispatch_message_real(
                                 IOVEC_SET_STRING(iovec[n++], session);
                 }
 
-                if (sd_pid_get_unit(ucred->pid, &t) >= 0) {
+                if (sd_pid_get_owner_uid(ucred->uid, &owner) >= 0)
+                        if (asprintf(&owner_uid, "_SYSTEMD_OWNER_UID=%lu", (unsigned long) owner) >= 0)
+                                IOVEC_SET_STRING(iovec[n++], owner_uid);
+#endif
+
+                if (cg_pid_get_unit(ucred->pid, &t) >= 0) {
                         unit = strappend("_SYSTEMD_UNIT=", t);
                         free(t);
 
@@ -554,10 +565,6 @@ static void dispatch_message_real(
                                 IOVEC_SET_STRING(iovec[n++], unit);
                 }
 
-                if (sd_pid_get_owner_uid(ucred->uid, &owner) >= 0)
-                        if (asprintf(&owner_uid, "_SYSTEMD_OWNER_UID=%lu", (unsigned long) owner) >= 0)
-                                IOVEC_SET_STRING(iovec[n++], owner_uid);
-
 #ifdef HAVE_SELINUX
                 if (label) {
                         selinux_context = malloc(sizeof("_SELINUX_CONTEXT=") + label_len);
@@ -1692,8 +1699,8 @@ static int stdout_stream_new(Server *s) {
         }
 
 #ifdef HAVE_SELINUX
-        if (getpeercon(fd, &stream->security_context) < 0)
-                log_error("Failed to determine peer security context.");
+        if (getpeercon(fd, &stream->security_context) < 0 && errno != ENOPROTOOPT)
+                log_error("Failed to determine peer security context: %m");
 #endif
 
         if (shutdown(fd, SHUT_WR) < 0) {
@@ -1768,6 +1775,17 @@ static int parse_kernel_timestamp(char **_p, usec_t *t) {
         return 1;
 }
 
+static bool is_us(const char *pid) {
+        pid_t t;
+
+        assert(pid);
+
+        if (parse_pid(pid, &t) < 0)
+                return false;
+
+        return t == getpid();
+}
+
 static void proc_kmsg_line(Server *s, const char *p) {
         struct iovec iovec[N_IOVEC_META_FIELDS + 7];
         char *message = NULL, *syslog_priority = NULL, *syslog_pid = NULL, *syslog_facility = NULL, *syslog_identifier = NULL, *source_time = NULL;
@@ -1807,6 +1825,11 @@ static void proc_kmsg_line(Server *s, const char *p) {
         } else {
                 read_identifier(&p, &identifier, &pid);
 
+                /* Avoid any messages we generated ourselves via
+                 * log_info() and friends. */
+                if (pid && is_us(pid))
+                        goto finish;
+
                 if (s->forward_to_syslog)
                         forward_syslog(s, priority, identifier, p, NULL, NULL);
 
@@ -1832,6 +1855,7 @@ static void proc_kmsg_line(Server *s, const char *p) {
 
         dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, NULL, 0, priority);
 
+finish:
         free(message);
         free(syslog_priority);
         free(syslog_identifier);
@@ -1949,7 +1973,7 @@ static int system_journal_open(Server *s) {
                         /* OK, we really need the runtime journal, so create
                          * it if necessary. */
 
-                        (void) mkdir_parents(fn, 0755);
+                        (void) mkdir_parents_label(fn, 0755);
                         r = journal_file_open_reliably(fn, O_RDWR|O_CREAT, 0640, NULL, &s->runtime_journal);
                         free(fn);
 
@@ -2774,7 +2798,7 @@ int main(int argc, char *argv[]) {
                 return EXIT_FAILURE;
         }
 
-        log_set_target(LOG_TARGET_CONSOLE);
+        log_set_target(LOG_TARGET_SAFE);
         log_set_facility(LOG_SYSLOG);
         log_parse_environment();
         log_open();