socket: add option for SO_PASSEC

https://bugzilla.redhat.com/show_bug.cgi?id=798760

(Note that this work is not complete yet, as the kernel seems to send us
useless data with SCM_SECURITY enabled)

diff --git a/TODO b/TODO
index 81aaabcc238b84a1b02cc7d1e8ecb098f771cd7e..96ae6355d8b03dff2e9ac4e88c051872a45f8007 100644 (file)
--- a/TODO
+++ b/TODO
@@ -18,6 +18,8 @@ Bugfixes:
 
 Features:
 
+* journal: extend sd-journal.h logging calls to implicitly log function names/line numbers/...
+
 * document crypttab(5)
 
 * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)

diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index ef5b28c771984330cc4bf5b3f4aab7c10859a6aa..d9921e496d91daf25a7f1da7c96058a02176bca5 100644 (file)
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -528,13 +528,24 @@
                                 <term><varname>PassCredentials=</varname></term>
                                 <listitem><para>Takes a boolean
                                 value. This controls the SO_PASSCRED
-                                socket option, which allows UNIX sockets to
+                                socket option, which allows AF_UNIX sockets to
                                 receive the credentials of the sending
                                 process in an ancillary message.
                                 Defaults to
                                 <option>false</option>.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>PassSecurity=</varname></term>
+                                <listitem><para>Takes a boolean
+                                value. This controls the SO_PASSSEC
+                                socket option, which allows AF_UNIX
+                                sockets to receive the security
+                                context of the sending process in an
+                                ancillary message.  Defaults to
+                                <option>false</option>.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><varname>TCPCongestion=</varname></term>
                                 <listitem><para>Takes a string

diff --git a/src/dbus-socket.c b/src/dbus-socket.c
index 9fef6769f014e3d994d9075c6990b21c6cb61ea3..2e3342cb551f6608a71df5f101cc91c4ee1a1ebc 100644 (file)
--- a/src/dbus-socket.c
+++ b/src/dbus-socket.c
@@ -52,6 +52,7 @@
         "  <property name=\"Transparent\" type=\"b\" access=\"read\"/>\n" \
         "  <property name=\"Broadcast\" type=\"b\" access=\"read\"/>\n" \
         "  <property name=\"PassCredentials\" type=\"b\" access=\"read\"/>\n" \
+        "  <property name=\"PassSecurity\" type=\"b\" access=\"read\"/>\n" \
         "  <property name=\"Mark\" type=\"i\" access=\"read\"/>\n"      \
         "  <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
         "  <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
@@ -114,6 +115,7 @@ static const BusProperty bus_socket_properties[] = {
         { "Transparent",    bus_property_append_bool,          "b", offsetof(Socket, transparent)     },
         { "Broadcast",      bus_property_append_bool,          "b", offsetof(Socket, broadcast)       },
         { "PassCredentials",bus_property_append_bool,          "b", offsetof(Socket, pass_cred)       },
+        { "PassSecurity",   bus_property_append_bool,          "b", offsetof(Socket, pass_sec)        },
         { "Mark",           bus_property_append_int,           "i", offsetof(Socket, mark)            },
         { "MaxConnections", bus_property_append_unsigned,      "u", offsetof(Socket, max_connections) },
         { "NConnections",   bus_property_append_unsigned,      "u", offsetof(Socket, n_connections)   },

diff --git a/src/journal/journald.c b/src/journal/journald.c
index 73f8ed6ae8474b14ace2df49f7f56b27960f60c1..375f5aa6ca9b8f5dbe704f373155890f5dec26a3 100644 (file)
--- a/src/journal/journald.c
+++ b/src/journal/journald.c
@@ -2252,6 +2252,11 @@ static int open_syslog_socket(Server *s) {
                 return -errno;
         }
 
+        one = 1;
+        r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+        if (r < 0)
+                log_warning("SO_PASSSEC failed: %m");
+
         one = 1;
         r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
         if (r < 0) {
@@ -2308,6 +2313,11 @@ static int open_native_socket(Server*s) {
                 return -errno;
         }
 
+        one = 1;
+        r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+        if (r < 0)
+                log_warning("SO_PASSSEC failed: %m");
+
         one = 1;
         r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
         if (r < 0) {

diff --git a/src/load-fragment-gperf.gperf.m4 b/src/load-fragment-gperf.gperf.m4
index 44ce4bbbc4b88792befb21f208879aed416a3991..4b02e3157ef68dc851ed20b490e68d79ff30a63e 100644 (file)
--- a/src/load-fragment-gperf.gperf.m4
+++ b/src/load-fragment-gperf.gperf.m4
@@ -186,6 +186,7 @@ Socket.FreeBind,                 config_parse_bool,                  0,
 Socket.Transparent,              config_parse_bool,                  0,                             offsetof(Socket, transparent)
 Socket.Broadcast,                config_parse_bool,                  0,                             offsetof(Socket, broadcast)
 Socket.PassCredentials,          config_parse_bool,                  0,                             offsetof(Socket, pass_cred)
+Socket.PassSecurity,             config_parse_bool,                  0,                             offsetof(Socket, pass_sec)
 Socket.TCPCongestion,            config_parse_string,                0,                             offsetof(Socket, tcp_congestion)
 Socket.MessageQueueMaxMessages,  config_parse_long,                  0,                             offsetof(Socket, mq_maxmsg)
 Socket.MessageQueueMessageSize,  config_parse_long,                  0,                             offsetof(Socket, mq_msgsize)

diff --git a/src/missing.h b/src/missing.h
index 213ef2f6a69235ede7f1b1a0741aab248b766910..095bf1fe042ad8a694aa1c18eb9a2bb9816e1f57 100644 (file)
--- a/src/missing.h
+++ b/src/missing.h
@@ -180,4 +180,8 @@ static inline pid_t gettid(void) {
         return (pid_t) syscall(SYS_gettid);
 }
 
+#ifndef SCM_SECURITY
+#define SCM_SECURITY 0x03
+#endif
+
 #endif

diff --git a/src/socket.c b/src/socket.c
index aeedcbd7f3719eb26aaac4e524249769b9557568..ecaf3d21488722e913ff9f70e26effdb6aac18a7 100644 (file)
--- a/src/socket.c
+++ b/src/socket.c
@@ -417,6 +417,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 "%sTransparent: %s\n"
                 "%sBroadcast: %s\n"
                 "%sPassCredentials: %s\n"
+                "%sPassSecurity: %s\n"
                 "%sTCPCongestion: %s\n",
                 prefix, socket_state_to_string(s->state),
                 prefix, socket_result_to_string(s->result),
@@ -429,6 +430,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 prefix, yes_no(s->transparent),
                 prefix, yes_no(s->broadcast),
                 prefix, yes_no(s->pass_cred),
+                prefix, yes_no(s->pass_sec),
                 prefix, strna(s->tcp_congestion));
 
         if (s->control_pid > 0)
@@ -676,6 +678,12 @@ static void socket_apply_socket_options(Socket *s, int fd) {
                         log_warning("SO_PASSCRED failed: %m");
         }
 
+        if (s->pass_sec) {
+                int one = 1;
+                if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
+                        log_warning("SO_PASSSEC failed: %m");
+        }
+
         if (s->priority >= 0)
                 if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
                         log_warning("SO_PRIORITY failed: %m");

diff --git a/src/socket.h b/src/socket.h
index 6f2af7cd613b43b48501b0ed00df3c7665d7dc38..6470d8b63e6f1119209e388ea6dbfc6dab17c60b 100644 (file)
--- a/src/socket.h
+++ b/src/socket.h
@@ -129,6 +129,7 @@ struct Socket {
         bool transparent;
         bool broadcast;
         bool pass_cred;
+        bool pass_sec;
         int priority;
         int mark;
         size_t receive_buffer;

diff --git a/units/syslog.socket b/units/syslog.socket
index 1c54857762385592dfea0a9089e200ff1caad7c3..0e211e16e7985a586d7735869686d577373e18d0 100644 (file)
--- a/units/syslog.socket
+++ b/units/syslog.socket
@@ -21,6 +21,7 @@ Wants=syslog.target
 ListenDatagram=/run/systemd/journal/syslog
 SocketMode=0666
 PassCredentials=yes
+PassSecurity=yes
 ReceiveBuffer=8M
 
 # The default syslog implementation should make syslog.service a

diff --git a/units/systemd-journald.socket b/units/systemd-journald.socket
index c752505d9fa1b009ab2a21ccacfde5c99eef1201..15fc49ef2956a04faa7988321831792ca6ab5b94 100644 (file)
--- a/units/systemd-journald.socket
+++ b/units/systemd-journald.socket
@@ -23,4 +23,5 @@ ListenDatagram=/run/systemd/journal/socket
 ListenDatagram=/dev/log
 SocketMode=0666
 PassCredentials=yes
+PassSecurity=yes
 ReceiveBuffer=8M

diff --git a/units/systemd-shutdownd.socket b/units/systemd-shutdownd.socket
index 532a6f0c737eedc142eebd65b1ac49619305fd45..7f13c9386e2e07010cd9263de306b58302648b26 100644 (file)
--- a/units/systemd-shutdownd.socket
+++ b/units/systemd-shutdownd.socket
@@ -16,3 +16,4 @@ Before=sockets.target
 ListenDatagram=/run/systemd/shutdownd
 SocketMode=0600
 PassCredentials=yes
+PassSecurity=yes