I think this is the most important of the capabilities bitmasks to log. --- TODO | 2 -- man/systemd.journal-fields.xml | 9 +++++++++ src/journal/journald-server.c | 7 +++++++ src/shared/util.c | 28 ++++++++++++++++++++++++++++ src/shared/util.h | 1 + 5 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/TODO b/TODO index 5d4ba8f..0782038 100644 --- a/TODO +++ b/TODO @@ -208,8 +208,6 @@ Features: * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off}) -* we should log capabilities too - * Support SO_REUSEPORT with socket activation: - Let systemd maintain a pool of servers. - Use for seamless upgrades, by running the new server before stopping the diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml index ed62edc..452406c 100644 --- a/man/systemd.journal-fields.xml +++ b/man/systemd.journal-fields.xml @@ -197,6 +197,15 @@ </varlistentry> <varlistentry> + <term><varname>_CAP_EFFECTIVE=</varname></term> + <listitem> + <para>The effective <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> of + the process the journal entry + originates from.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><varname>_AUDIT_SESSION=</varname></term> <term><varname>_AUDIT_LOGINUID=</varname></term> <listitem> diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index 6beaa8a..332ba41 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -578,6 +578,13 @@ static void dispatch_message_real( IOVEC_SET_STRING(iovec[n++], x); } + r = get_process_capeff(ucred->pid, &t); + if (r >= 0) { + x = strappenda("_CAP_EFFECTIVE=", t); + free(t); + IOVEC_SET_STRING(iovec[n++], x); + } + #ifdef HAVE_AUDIT r = audit_session_from_pid(ucred->pid, &audit); if (r >= 0) { diff --git a/src/shared/util.c b/src/shared/util.c index ceee6f2..66bfdc8 100644 --- a/src/shared/util.c +++ b/src/shared/util.c @@ -726,6 +726,34 @@ int is_kernel_thread(pid_t pid) { return 0; } +int get_process_capeff(pid_t pid, char **capeff) { + const char *p; + _cleanup_free_ char *status = NULL; + char *t = NULL; + int r; + + assert(capeff); + assert(pid >= 0); + + if (pid == 0) + p = "/proc/self/status"; + else + p = procfs_file_alloca(pid, "status"); + + r = read_full_file(p, &status, NULL); + if (r < 0) + return r; + + t = strstr(status, "CapEff:\t"); + if (!t) + return -ENOENT; + + *capeff = strndup(t + strlen("CapEff:\t"), 16); + if (!*capeff) + return -ENOMEM; + + return 0; +} int get_process_exe(pid_t pid, char **name) { const char *p; diff --git a/src/shared/util.h b/src/shared/util.h index ddb21b4..fac08ca 100644 --- a/src/shared/util.h +++ b/src/shared/util.h @@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char * int get_process_exe(pid_t pid, char **name); int get_process_uid(pid_t pid, uid_t *uid); int get_process_gid(pid_t pid, gid_t *gid); +int get_process_capeff(pid_t pid, char **capeff); char hexchar(int x) _const_; int unhexchar(char c) _const_; -- 1.8.3.2 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel