On Mon, 15.07.13 18:10, Shawn Landden (shawnland...@gmail.com) wrote: > I think this is the most important of the capabilities bitmasks to > log.
Applied! Thanks! > --- > TODO | 2 -- > man/systemd.journal-fields.xml | 9 +++++++++ > src/journal/journald-server.c | 7 +++++++ > src/shared/util.c | 34 ++++++++++++++++++++++++++++++++++ > src/shared/util.h | 1 + > 5 files changed, 51 insertions(+), 2 deletions(-) > > diff --git a/TODO b/TODO > index 5d4ba8f..0782038 100644 > --- a/TODO > +++ b/TODO > @@ -208,8 +208,6 @@ Features: > > * teach ConditionKernelCommandLine= globs or regexes (in order to match > foobar={no,0,off}) > > -* we should log capabilities too > - > * Support SO_REUSEPORT with socket activation: > - Let systemd maintain a pool of servers. > - Use for seamless upgrades, by running the new server before stopping the > diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml > index ed62edc..452406c 100644 > --- a/man/systemd.journal-fields.xml > +++ b/man/systemd.journal-fields.xml > @@ -197,6 +197,15 @@ > </varlistentry> > > <varlistentry> > + > <term><varname>_CAP_EFFECTIVE=</varname></term> > + <listitem> > + <para>The effective > <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> > of > + the process the journal entry > + originates from.</para> > + </listitem> > + </varlistentry> > + > + <varlistentry> > > <term><varname>_AUDIT_SESSION=</varname></term> > > <term><varname>_AUDIT_LOGINUID=</varname></term> > <listitem> > diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c > index 6beaa8a..332ba41 100644 > --- a/src/journal/journald-server.c > +++ b/src/journal/journald-server.c > @@ -578,6 +578,13 @@ static void dispatch_message_real( > IOVEC_SET_STRING(iovec[n++], x); > } > > + r = get_process_capeff(ucred->pid, &t); > + if (r >= 0) { > + x = strappenda("_CAP_EFFECTIVE=", t); > + free(t); > + IOVEC_SET_STRING(iovec[n++], x); > + } > + > #ifdef HAVE_AUDIT > r = audit_session_from_pid(ucred->pid, &audit); > if (r >= 0) { > diff --git a/src/shared/util.c b/src/shared/util.c > index ceee6f2..7e9c8ea 100644 > --- a/src/shared/util.c > +++ b/src/shared/util.c > @@ -726,6 +726,40 @@ int is_kernel_thread(pid_t pid) { > return 0; > } > > +int get_process_capeff(pid_t pid, char **capeff) { > + const char *p; > + _cleanup_free_ char *status = NULL; > + char *t = NULL; > + int r; > + > + assert(capeff); > + assert(pid >= 0); > + > + if (pid == 0) > + p = "/proc/self/status"; > + else > + p = procfs_file_alloca(pid, "status"); > + > + r = read_full_file(p, &status, NULL); > + if (r < 0) > + return r; > + > + t = strstr(status, "\nCapEff:\t"); > + if (!t) > + return -ENOENT; > + > + for (t += strlen("\nCapEff:\t"); t[0] == '0'; t++) > + continue; > + > + if (t[0] == '\n') > + t--; > + > + *capeff = strndup(t, strchr(t, '\n') - t); > + if (!*capeff) > + return -ENOMEM; > + > + return 0; > +} > > int get_process_exe(pid_t pid, char **name) { > const char *p; > diff --git a/src/shared/util.h b/src/shared/util.h > index ddb21b4..fac08ca 100644 > --- a/src/shared/util.h > +++ b/src/shared/util.h > @@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, > bool comm_fallback, char * > int get_process_exe(pid_t pid, char **name); > int get_process_uid(pid_t pid, uid_t *uid); > int get_process_gid(pid_t pid, gid_t *gid); > +int get_process_capeff(pid_t pid, char **capeff); > > char hexchar(int x) _const_; > int unhexchar(char c) _const_; Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel