On Mon, 15.07.13 18:10, Shawn Landden (shawnland...@gmail.com) wrote:
> I think this is the most important of the capabilities bitmasks to
> log.
Applied! Thanks!
> ---
> TODO | 2 --
> man/systemd.journal-fields.xml | 9 +
> src/journal/journald-server.c | 7 +++
> src/shared/util.c | 34 ++
> src/shared/util.h | 1 +
> 5 files changed, 51 insertions(+), 2 deletions(-)
>
> diff --git a/TODO b/TODO
> index 5d4ba8f..0782038 100644
> --- a/TODO
> +++ b/TODO
> @@ -208,8 +208,6 @@ Features:
>
> * teach ConditionKernelCommandLine= globs or regexes (in order to match
> foobar={no,0,off})
>
> -* we should log capabilities too
> -
> * Support SO_REUSEPORT with socket activation:
>- Let systemd maintain a pool of servers.
>- Use for seamless upgrades, by running the new server before stopping the
> diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml
> index ed62edc..452406c 100644
> --- a/man/systemd.journal-fields.xml
> +++ b/man/systemd.journal-fields.xml
> @@ -197,6 +197,15 @@
>
>
>
> +
> _CAP_EFFECTIVE=
> +
> +The effective
> capabilities7
> of
> +the process the journal entry
> +originates from.
> +
> +
> +
> +
>
> _AUDIT_SESSION=
>
> _AUDIT_LOGINUID=
>
> diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
> index 6beaa8a..332ba41 100644
> --- a/src/journal/journald-server.c
> +++ b/src/journal/journald-server.c
> @@ -578,6 +578,13 @@ static void dispatch_message_real(
> IOVEC_SET_STRING(iovec[n++], x);
> }
>
> +r = get_process_capeff(ucred->pid, &t);
> +if (r >= 0) {
> +x = strappenda("_CAP_EFFECTIVE=", t);
> +free(t);
> +IOVEC_SET_STRING(iovec[n++], x);
> +}
> +
> #ifdef HAVE_AUDIT
> r = audit_session_from_pid(ucred->pid, &audit);
> if (r >= 0) {
> diff --git a/src/shared/util.c b/src/shared/util.c
> index ceee6f2..7e9c8ea 100644
> --- a/src/shared/util.c
> +++ b/src/shared/util.c
> @@ -726,6 +726,40 @@ int is_kernel_thread(pid_t pid) {
> return 0;
> }
>
> +int get_process_capeff(pid_t pid, char **capeff) {
> +const char *p;
> +_cleanup_free_ char *status = NULL;
> +char *t = NULL;
> +int r;
> +
> +assert(capeff);
> +assert(pid >= 0);
> +
> +if (pid == 0)
> +p = "/proc/self/status";
> +else
> +p = procfs_file_alloca(pid, "status");
> +
> +r = read_full_file(p, &status, NULL);
> +if (r < 0)
> +return r;
> +
> +t = strstr(status, "\nCapEff:\t");
> +if (!t)
> +return -ENOENT;
> +
> +for (t += strlen("\nCapEff:\t"); t[0] == '0'; t++)
> +continue;
> +
> +if (t[0] == '\n')
> +t--;
> +
> +*capeff = strndup(t, strchr(t, '\n') - t);
> +if (!*capeff)
> +return -ENOMEM;
> +
> +return 0;
> +}
>
> int get_process_exe(pid_t pid, char **name) {
> const char *p;
> diff --git a/src/shared/util.h b/src/shared/util.h
> index ddb21b4..fac08ca 100644
> --- a/src/shared/util.h
> +++ b/src/shared/util.h
> @@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length,
> bool comm_fallback, char *
> int get_process_exe(pid_t pid, char **name);
> int get_process_uid(pid_t pid, uid_t *uid);
> int get_process_gid(pid_t pid, gid_t *gid);
> +int get_process_capeff(pid_t pid, char **capeff);
>
> char hexchar(int x) _const_;
> int unhexchar(char c) _const_;
Lennart
--
Lennart Poettering - Red Hat, Inc.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
