]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/journal/journald-native.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include <sys/statvfs.h>
9 #include "alloc-util.h"
13 #include "journal-importer.h"
14 #include "journal-internal.h"
15 #include "journal-util.h"
16 #include "journald-client.h"
17 #include "journald-console.h"
18 #include "journald-kmsg.h"
19 #include "journald-native.h"
20 #include "journald-server.h"
21 #include "journald-syslog.h"
22 #include "journald-wall.h"
23 #include "memfd-util.h"
24 #include "memory-util.h"
25 #include "parse-util.h"
26 #include "path-util.h"
27 #include "process-util.h"
28 #include "selinux-util.h"
29 #include "socket-util.h"
30 #include "string-util.h"
32 #include "unaligned.h"
34 static bool allow_object_pid(const struct ucred
*ucred
) {
35 return ucred
&& ucred
->uid
== 0;
38 static void server_process_entry_meta(
39 const char *p
, size_t l
,
40 const struct ucred
*ucred
,
46 /* We need to determine the priority of this entry for the rate limiting logic */
49 startswith(p
, "PRIORITY=") &&
50 p
[9] >= '0' && p
[9] <= '9')
51 *priority
= (*priority
& LOG_FACMASK
) | (p
[9] - '0');
54 startswith(p
, "SYSLOG_FACILITY=") &&
55 p
[16] >= '0' && p
[16] <= '9')
56 *priority
= (*priority
& LOG_PRIMASK
) | ((p
[16] - '0') << 3);
59 startswith(p
, "SYSLOG_FACILITY=") &&
60 p
[16] >= '0' && p
[16] <= '9' &&
61 p
[17] >= '0' && p
[17] <= '9')
62 *priority
= (*priority
& LOG_PRIMASK
) | (((p
[16] - '0')*10 + (p
[17] - '0')) << 3);
65 startswith(p
, "SYSLOG_IDENTIFIER=")) {
68 t
= memdup_suffix0(p
+ 18, l
- 18);
70 free_and_replace(*identifier
, t
);
73 startswith(p
, "MESSAGE=")) {
76 t
= memdup_suffix0(p
+ 8, l
- 8);
78 free_and_replace(*message
, t
);
80 } else if (l
> STRLEN("OBJECT_PID=") &&
81 l
< STRLEN("OBJECT_PID=") + DECIMAL_STR_MAX(pid_t
) &&
82 startswith(p
, "OBJECT_PID=") &&
83 allow_object_pid(ucred
)) {
84 char buf
[DECIMAL_STR_MAX(pid_t
)];
85 memcpy(buf
, p
+ STRLEN("OBJECT_PID="),
86 l
- STRLEN("OBJECT_PID="));
87 buf
[l
-STRLEN("OBJECT_PID=")] = '\0';
89 (void) parse_pid(buf
, object_pid
);
93 static int server_process_entry(
95 const void *buffer
, size_t *remaining
,
96 ClientContext
*context
,
97 const struct ucred
*ucred
,
98 const struct timeval
*tv
,
99 const char *label
, size_t label_len
) {
101 /* Process a single entry from a native message. Returns 0 if nothing special happened and the message
102 * processing should continue, and a negative or positive value otherwise.
104 * Note that *remaining is altered on both success and failure. */
106 size_t n
= 0, j
, tn
= SIZE_MAX
, entry_size
= 0;
107 char *identifier
= NULL
, *message
= NULL
;
108 struct iovec
*iovec
= NULL
;
109 int priority
= LOG_INFO
;
110 pid_t object_pid
= 0;
116 while (*remaining
> 0) {
119 e
= memchr(p
, '\n', *remaining
);
122 /* Trailing noise, let's ignore it, and flush what we collected */
123 log_debug("Received message with trailing noise, ignoring.");
124 break; /* finish processing of the message */
128 /* Entry separator */
133 if (IN_SET(*p
, '.', '#')) {
134 /* Ignore control commands for now, and comments too. */
135 *remaining
-= (e
- p
) + 1;
140 /* A property follows */
141 if (n
> ENTRY_FIELD_COUNT_MAX
) {
142 log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX
) " fields, ignoring entry.");
146 /* n existing properties, 1 new, +1 for _TRANSPORT */
147 if (!GREEDY_REALLOC(iovec
,
149 N_IOVEC_META_FIELDS
+ N_IOVEC_OBJECT_FIELDS
+
150 client_context_extra_fields_n_iovec(context
))) {
155 q
= memchr(p
, '=', e
- p
);
157 if (journal_field_valid(p
, q
- p
, false)) {
161 if (l
> DATA_SIZE_MAX
) {
162 log_debug("Received text block of %zu bytes is too large, ignoring entry.", l
);
166 if (entry_size
+ l
+ n
+ 1 > ENTRY_SIZE_MAX
) { /* data + separators + trailer */
167 log_debug("Entry is too big (%zu bytes after processing %zu entries), ignoring entry.",
168 entry_size
+ l
, n
+ 1);
172 /* If the field name starts with an underscore, skip the variable, since that indicates
174 iovec
[n
++] = IOVEC_MAKE((char*) p
, l
);
177 server_process_entry_meta(p
, l
, ucred
,
184 *remaining
-= (e
- p
) + 1;
191 if (*remaining
< e
- p
+ 1 + sizeof(uint64_t) + 1) {
192 log_debug("Failed to parse message, ignoring.");
196 l
= unaligned_read_le64(e
+ 1);
197 if (l
> DATA_SIZE_MAX
) {
198 log_debug("Received binary data block of %"PRIu64
" bytes is too large, ignoring entry.", l
);
202 total
= (e
- p
) + 1 + l
;
203 if (entry_size
+ total
+ n
+ 1 > ENTRY_SIZE_MAX
) { /* data + separators + trailer */
204 log_debug("Entry is too big (%"PRIu64
"bytes after processing %zu fields), ignoring.",
205 entry_size
+ total
, n
+ 1);
209 if ((uint64_t) *remaining
< e
- p
+ 1 + sizeof(uint64_t) + l
+ 1 ||
210 e
[1+sizeof(uint64_t)+l
] != '\n') {
211 log_debug("Failed to parse message, ignoring.");
223 memcpy(k
+ (e
- p
) + 1, e
+ 1 + sizeof(uint64_t), l
);
225 if (journal_field_valid(p
, e
- p
, false)) {
226 iovec
[n
] = IOVEC_MAKE(k
, (e
- p
) + 1 + l
);
227 entry_size
+= iovec
[n
].iov_len
;
230 server_process_entry_meta(k
, (e
- p
) + 1 + l
, ucred
,
238 *remaining
-= (e
- p
) + 1 + sizeof(uint64_t) + l
+ 1;
239 p
= e
+ 1 + sizeof(uint64_t) + l
+ 1;
247 iovec
[tn
] = IOVEC_MAKE_STRING("_TRANSPORT=journal");
248 entry_size
+= STRLEN("_TRANSPORT=journal");
250 if (entry_size
+ n
+ 1 > ENTRY_SIZE_MAX
) { /* data + separators + trailer */
251 log_debug("Entry is too big with %zu properties and %zu bytes, ignoring.", n
, entry_size
);
255 r
= 0; /* Success, we read the message. */
257 if (!client_context_test_priority(context
, priority
))
261 /* Ensure message is not NULL, otherwise strlen(message) would crash. This check needs to
262 * be here until server_process_entry() is able to process messages containing \0 characters,
263 * as we would have access to the actual size of message. */
264 r
= client_context_check_keep_log(context
, message
, strlen(message
));
268 if (s
->forward_to_syslog
)
269 server_forward_syslog(s
, syslog_fixup_facility(priority
), identifier
, message
, ucred
, tv
);
271 if (s
->forward_to_kmsg
)
272 server_forward_kmsg(s
, priority
, identifier
, message
, ucred
);
274 if (s
->forward_to_console
)
275 server_forward_console(s
, priority
, identifier
, message
, ucred
);
277 if (s
->forward_to_wall
)
278 server_forward_wall(s
, priority
, identifier
, message
, ucred
);
281 server_dispatch_message(s
, iovec
, n
, MALLOC_ELEMENTSOF(iovec
), context
, tv
, priority
, object_pid
);
284 for (j
= 0; j
< n
; j
++) {
288 if (iovec
[j
].iov_base
< buffer
||
289 (const char*) iovec
[j
].iov_base
>= p
+ *remaining
)
290 free(iovec
[j
].iov_base
);
300 void server_process_native_message(
302 const char *buffer
, size_t buffer_size
,
303 const struct ucred
*ucred
,
304 const struct timeval
*tv
,
305 const char *label
, size_t label_len
) {
307 size_t remaining
= buffer_size
;
308 ClientContext
*context
= NULL
;
312 assert(buffer
|| buffer_size
== 0);
314 if (ucred
&& pid_is_valid(ucred
->pid
)) {
315 r
= client_context_get(s
, ucred
->pid
, ucred
, label
, label_len
, NULL
, &context
);
317 log_ratelimit_warning_errno(r
, JOURNAL_LOG_RATELIMIT
,
318 "Failed to retrieve credentials for PID " PID_FMT
", ignoring: %m",
323 r
= server_process_entry(s
,
324 (const uint8_t*) buffer
+ (buffer_size
- remaining
), &remaining
,
325 context
, ucred
, tv
, label
, label_len
);
329 void server_process_native_file(
332 const struct ucred
*ucred
,
333 const struct timeval
*tv
,
334 const char *label
, size_t label_len
) {
340 /* Data is in the passed fd, probably it didn't fit in a datagram. */
345 /* If it's a memfd, check if it is sealed. If so, we can just
346 * mmap it and use it, and do not need to copy the data out. */
347 sealed
= memfd_get_sealed(fd
) > 0;
349 if (!sealed
&& (!ucred
|| ucred
->uid
!= 0)) {
350 _cleanup_free_
char *k
= NULL
;
353 /* If this is not a sealed memfd, and the peer is unknown or
354 * unprivileged, then verify the path. */
356 r
= fd_get_path(fd
, &k
);
358 log_ratelimit_error_errno(r
, JOURNAL_LOG_RATELIMIT
,
359 "readlink(/proc/self/fd/%i) failed: %m", fd
);
363 e
= PATH_STARTSWITH_SET(k
, "/dev/shm/", "/tmp/", "/var/tmp/");
365 log_ratelimit_error(JOURNAL_LOG_RATELIMIT
,
366 "Received file outside of allowed directories. Refusing.");
370 if (!filename_is_valid(e
)) {
371 log_ratelimit_error(JOURNAL_LOG_RATELIMIT
,
372 "Received file in subdirectory of allowed directories. Refusing.");
377 if (fstat(fd
, &st
) < 0) {
378 log_ratelimit_error_errno(errno
, JOURNAL_LOG_RATELIMIT
,
379 "Failed to stat passed file, ignoring: %m");
383 if (!S_ISREG(st
.st_mode
)) {
384 log_ratelimit_error(JOURNAL_LOG_RATELIMIT
,
385 "File passed is not regular. Ignoring.");
392 /* When !sealed, set a lower memory limit. We have to read the file,
393 * effectively doubling memory use. */
394 if (st
.st_size
> ENTRY_SIZE_MAX
/ (sealed
? 1 : 2)) {
395 log_ratelimit_error(JOURNAL_LOG_RATELIMIT
,
396 "File passed too large (%"PRIu64
" bytes). Ignoring.",
397 (uint64_t) st
.st_size
);
405 /* The file is sealed, we can just map it and use it. */
407 ps
= PAGE_ALIGN(st
.st_size
);
408 p
= mmap(NULL
, ps
, PROT_READ
, MAP_PRIVATE
, fd
, 0);
409 if (p
== MAP_FAILED
) {
410 log_ratelimit_error_errno(errno
, JOURNAL_LOG_RATELIMIT
,
411 "Failed to map memfd, ignoring: %m");
415 server_process_native_message(s
, p
, st
.st_size
, ucred
, tv
, label
, label_len
);
416 assert_se(munmap(p
, ps
) >= 0);
418 _cleanup_free_
void *p
= NULL
;
422 if (fstatvfs(fd
, &vfs
) < 0) {
423 log_ratelimit_error_errno(errno
, JOURNAL_LOG_RATELIMIT
,
424 "Failed to stat file system of passed file, not processing it: %m");
428 /* Refuse operating on file systems that have
429 * mandatory locking enabled, see:
431 * https://github.com/systemd/systemd/issues/1822
433 if (vfs
.f_flag
& ST_MANDLOCK
) {
434 log_ratelimit_error(JOURNAL_LOG_RATELIMIT
,
435 "Received file descriptor from file system with mandatory locking enabled, not processing it.");
439 /* Make the fd non-blocking. On regular files this has
440 * the effect of bypassing mandatory locking. Of
441 * course, this should normally not be necessary given
442 * the check above, but let's better be safe than
443 * sorry, after all NFS is pretty confusing regarding
444 * file system flags, and we better don't trust it,
446 r
= fd_nonblock(fd
, true);
448 log_ratelimit_error_errno(r
, JOURNAL_LOG_RATELIMIT
,
449 "Failed to make fd non-blocking, not processing it: %m");
453 /* The file is not sealed, we can't map the file here, since
454 * clients might then truncate it and trigger a SIGBUS for
455 * us. So let's stupidly read it. */
457 p
= malloc(st
.st_size
);
463 n
= pread(fd
, p
, st
.st_size
, 0);
465 log_ratelimit_error_errno(errno
, JOURNAL_LOG_RATELIMIT
,
466 "Failed to read file, ignoring: %m");
468 server_process_native_message(s
, p
, n
, ucred
, tv
, label
, label_len
);
472 int server_open_native_socket(Server
*s
, const char *native_socket
) {
476 assert(native_socket
);
478 if (s
->native_fd
< 0) {
479 union sockaddr_union sa
;
482 r
= sockaddr_un_set_path(&sa
.un
, native_socket
);
484 return log_error_errno(r
, "Unable to use namespace path %s for AF_UNIX socket: %m", native_socket
);
487 s
->native_fd
= socket(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
488 if (s
->native_fd
< 0)
489 return log_error_errno(errno
, "socket() failed: %m");
491 (void) sockaddr_un_unlink(&sa
.un
);
493 r
= bind(s
->native_fd
, &sa
.sa
, sa_len
);
495 return log_error_errno(errno
, "bind(%s) failed: %m", sa
.un
.sun_path
);
497 (void) chmod(sa
.un
.sun_path
, 0666);
499 (void) fd_nonblock(s
->native_fd
, true);
501 r
= setsockopt_int(s
->native_fd
, SOL_SOCKET
, SO_PASSCRED
, true);
503 return log_error_errno(r
, "SO_PASSCRED failed: %m");
505 if (mac_selinux_use()) {
506 r
= setsockopt_int(s
->native_fd
, SOL_SOCKET
, SO_PASSSEC
, true);
508 log_warning_errno(r
, "SO_PASSSEC failed: %m");
511 r
= setsockopt_int(s
->native_fd
, SOL_SOCKET
, SO_TIMESTAMP
, true);
513 return log_error_errno(r
, "SO_TIMESTAMP failed: %m");
515 r
= sd_event_add_io(s
->event
, &s
->native_event_source
, s
->native_fd
, EPOLLIN
, server_process_datagram
, s
);
517 return log_error_errno(r
, "Failed to add native server fd to event loop: %m");
519 r
= sd_event_source_set_priority(s
->native_event_source
, SD_EVENT_PRIORITY_NORMAL
+5);
521 return log_error_errno(r
, "Failed to adjust native event source priority: %m");