1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2013 Lennart Poettering
8 #include <linux/capability.h>
11 #include "alloc-util.h"
12 #include "audit-util.h"
13 #include "bus-creds.h"
14 #include "bus-label.h"
15 #include "bus-message.h"
17 #include "capability-util.h"
18 #include "cgroup-util.h"
21 #include "format-util.h"
22 #include "hexdecoct.h"
23 #include "parse-util.h"
24 #include "process-util.h"
25 #include "string-util.h"
27 #include "terminal-util.h"
28 #include "user-util.h"
32 CAP_OFFSET_INHERITABLE
= 0,
33 CAP_OFFSET_PERMITTED
= 1,
34 CAP_OFFSET_EFFECTIVE
= 2,
35 CAP_OFFSET_BOUNDING
= 3
38 void bus_creds_done(sd_bus_creds
*c
) {
41 /* For internal bus cred structures that are allocated by
49 free(c
->unescaped_description
);
50 free(c
->supplementary_gids
);
53 free(c
->well_known_names
); /* note that this is an strv, but
54 * we only free the array, not the
55 * strings the array points to. The
56 * full strv we only free if
57 * c->allocated is set, see
60 strv_free(c
->cmdline_array
);
63 _public_ sd_bus_creds
*sd_bus_creds_ref(sd_bus_creds
*c
) {
74 /* If this is an embedded creds structure, then
75 * forward ref counting to the message */
76 m
= container_of(c
, sd_bus_message
, creds
);
77 sd_bus_message_ref(m
);
83 _public_ sd_bus_creds
*sd_bus_creds_unref(sd_bus_creds
*c
) {
100 free(c
->unique_name
);
101 free(c
->cgroup_root
);
102 free(c
->description
);
104 c
->supplementary_gids
= mfree(c
->supplementary_gids
);
106 c
->well_known_names
= strv_free(c
->well_known_names
);
115 m
= container_of(c
, sd_bus_message
, creds
);
116 sd_bus_message_unref(m
);
122 _public_
uint64_t sd_bus_creds_get_mask(const sd_bus_creds
*c
) {
128 _public_
uint64_t sd_bus_creds_get_augmented_mask(const sd_bus_creds
*c
) {
134 sd_bus_creds
* bus_creds_new(void) {
137 c
= new0(sd_bus_creds
, 1);
146 _public_
int sd_bus_creds_new_from_pid(sd_bus_creds
**ret
, pid_t pid
, uint64_t mask
) {
150 assert_return(pid
>= 0, -EINVAL
);
151 assert_return(mask
<= _SD_BUS_CREDS_ALL
, -EOPNOTSUPP
);
152 assert_return(ret
, -EINVAL
);
155 pid
= getpid_cached();
161 r
= bus_creds_add_more(c
, mask
| SD_BUS_CREDS_AUGMENT
, pid
, 0);
163 sd_bus_creds_unref(c
);
167 /* Check if the process existed at all, in case we haven't
168 * figured that out already */
169 if (!pid_is_alive(pid
)) {
170 sd_bus_creds_unref(c
);
178 _public_
int sd_bus_creds_get_uid(sd_bus_creds
*c
, uid_t
*uid
) {
179 assert_return(c
, -EINVAL
);
180 assert_return(uid
, -EINVAL
);
182 if (!(c
->mask
& SD_BUS_CREDS_UID
))
189 _public_
int sd_bus_creds_get_euid(sd_bus_creds
*c
, uid_t
*euid
) {
190 assert_return(c
, -EINVAL
);
191 assert_return(euid
, -EINVAL
);
193 if (!(c
->mask
& SD_BUS_CREDS_EUID
))
200 _public_
int sd_bus_creds_get_suid(sd_bus_creds
*c
, uid_t
*suid
) {
201 assert_return(c
, -EINVAL
);
202 assert_return(suid
, -EINVAL
);
204 if (!(c
->mask
& SD_BUS_CREDS_SUID
))
211 _public_
int sd_bus_creds_get_fsuid(sd_bus_creds
*c
, uid_t
*fsuid
) {
212 assert_return(c
, -EINVAL
);
213 assert_return(fsuid
, -EINVAL
);
215 if (!(c
->mask
& SD_BUS_CREDS_FSUID
))
222 _public_
int sd_bus_creds_get_gid(sd_bus_creds
*c
, gid_t
*gid
) {
223 assert_return(c
, -EINVAL
);
224 assert_return(gid
, -EINVAL
);
226 if (!(c
->mask
& SD_BUS_CREDS_GID
))
233 _public_
int sd_bus_creds_get_egid(sd_bus_creds
*c
, gid_t
*egid
) {
234 assert_return(c
, -EINVAL
);
235 assert_return(egid
, -EINVAL
);
237 if (!(c
->mask
& SD_BUS_CREDS_EGID
))
244 _public_
int sd_bus_creds_get_sgid(sd_bus_creds
*c
, gid_t
*sgid
) {
245 assert_return(c
, -EINVAL
);
246 assert_return(sgid
, -EINVAL
);
248 if (!(c
->mask
& SD_BUS_CREDS_SGID
))
255 _public_
int sd_bus_creds_get_fsgid(sd_bus_creds
*c
, gid_t
*fsgid
) {
256 assert_return(c
, -EINVAL
);
257 assert_return(fsgid
, -EINVAL
);
259 if (!(c
->mask
& SD_BUS_CREDS_FSGID
))
266 _public_
int sd_bus_creds_get_supplementary_gids(sd_bus_creds
*c
, const gid_t
**gids
) {
267 assert_return(c
, -EINVAL
);
268 assert_return(gids
, -EINVAL
);
270 if (!(c
->mask
& SD_BUS_CREDS_SUPPLEMENTARY_GIDS
))
273 *gids
= c
->supplementary_gids
;
274 return (int) c
->n_supplementary_gids
;
277 _public_
int sd_bus_creds_get_pid(sd_bus_creds
*c
, pid_t
*pid
) {
278 assert_return(c
, -EINVAL
);
279 assert_return(pid
, -EINVAL
);
281 if (!(c
->mask
& SD_BUS_CREDS_PID
))
289 _public_
int sd_bus_creds_get_ppid(sd_bus_creds
*c
, pid_t
*ppid
) {
290 assert_return(c
, -EINVAL
);
291 assert_return(ppid
, -EINVAL
);
293 if (!(c
->mask
& SD_BUS_CREDS_PPID
))
296 /* PID 1 has no parent process. Let's distinguish the case of
297 * not knowing and not having a parent process by the returned
306 _public_
int sd_bus_creds_get_tid(sd_bus_creds
*c
, pid_t
*tid
) {
307 assert_return(c
, -EINVAL
);
308 assert_return(tid
, -EINVAL
);
310 if (!(c
->mask
& SD_BUS_CREDS_TID
))
318 _public_
int sd_bus_creds_get_selinux_context(sd_bus_creds
*c
, const char **ret
) {
319 assert_return(c
, -EINVAL
);
321 if (!(c
->mask
& SD_BUS_CREDS_SELINUX_CONTEXT
))
329 _public_
int sd_bus_creds_get_comm(sd_bus_creds
*c
, const char **ret
) {
330 assert_return(c
, -EINVAL
);
331 assert_return(ret
, -EINVAL
);
333 if (!(c
->mask
& SD_BUS_CREDS_COMM
))
341 _public_
int sd_bus_creds_get_tid_comm(sd_bus_creds
*c
, const char **ret
) {
342 assert_return(c
, -EINVAL
);
343 assert_return(ret
, -EINVAL
);
345 if (!(c
->mask
& SD_BUS_CREDS_TID_COMM
))
353 _public_
int sd_bus_creds_get_exe(sd_bus_creds
*c
, const char **ret
) {
354 assert_return(c
, -EINVAL
);
355 assert_return(ret
, -EINVAL
);
357 if (!(c
->mask
& SD_BUS_CREDS_EXE
))
367 _public_
int sd_bus_creds_get_cgroup(sd_bus_creds
*c
, const char **ret
) {
368 assert_return(c
, -EINVAL
);
369 assert_return(ret
, -EINVAL
);
371 if (!(c
->mask
& SD_BUS_CREDS_CGROUP
))
379 _public_
int sd_bus_creds_get_unit(sd_bus_creds
*c
, const char **ret
) {
382 assert_return(c
, -EINVAL
);
383 assert_return(ret
, -EINVAL
);
385 if (!(c
->mask
& SD_BUS_CREDS_UNIT
))
393 r
= cg_shift_path(c
->cgroup
, c
->cgroup_root
, &shifted
);
397 r
= cg_path_get_unit(shifted
, (char**) &c
->unit
);
406 _public_
int sd_bus_creds_get_user_unit(sd_bus_creds
*c
, const char **ret
) {
409 assert_return(c
, -EINVAL
);
410 assert_return(ret
, -EINVAL
);
412 if (!(c
->mask
& SD_BUS_CREDS_USER_UNIT
))
420 r
= cg_shift_path(c
->cgroup
, c
->cgroup_root
, &shifted
);
424 r
= cg_path_get_user_unit(shifted
, (char**) &c
->user_unit
);
433 _public_
int sd_bus_creds_get_slice(sd_bus_creds
*c
, const char **ret
) {
436 assert_return(c
, -EINVAL
);
437 assert_return(ret
, -EINVAL
);
439 if (!(c
->mask
& SD_BUS_CREDS_SLICE
))
447 r
= cg_shift_path(c
->cgroup
, c
->cgroup_root
, &shifted
);
451 r
= cg_path_get_slice(shifted
, (char**) &c
->slice
);
460 _public_
int sd_bus_creds_get_user_slice(sd_bus_creds
*c
, const char **ret
) {
463 assert_return(c
, -EINVAL
);
464 assert_return(ret
, -EINVAL
);
466 if (!(c
->mask
& SD_BUS_CREDS_USER_SLICE
))
471 if (!c
->user_slice
) {
474 r
= cg_shift_path(c
->cgroup
, c
->cgroup_root
, &shifted
);
478 r
= cg_path_get_user_slice(shifted
, (char**) &c
->user_slice
);
483 *ret
= c
->user_slice
;
487 _public_
int sd_bus_creds_get_session(sd_bus_creds
*c
, const char **ret
) {
490 assert_return(c
, -EINVAL
);
491 assert_return(ret
, -EINVAL
);
493 if (!(c
->mask
& SD_BUS_CREDS_SESSION
))
501 r
= cg_shift_path(c
->cgroup
, c
->cgroup_root
, &shifted
);
505 r
= cg_path_get_session(shifted
, (char**) &c
->session
);
514 _public_
int sd_bus_creds_get_owner_uid(sd_bus_creds
*c
, uid_t
*uid
) {
518 assert_return(c
, -EINVAL
);
519 assert_return(uid
, -EINVAL
);
521 if (!(c
->mask
& SD_BUS_CREDS_OWNER_UID
))
526 r
= cg_shift_path(c
->cgroup
, c
->cgroup_root
, &shifted
);
530 return cg_path_get_owner_uid(shifted
, uid
);
533 _public_
int sd_bus_creds_get_cmdline(sd_bus_creds
*c
, char ***cmdline
) {
534 assert_return(c
, -EINVAL
);
536 if (!(c
->mask
& SD_BUS_CREDS_CMDLINE
))
542 if (!c
->cmdline_array
) {
543 c
->cmdline_array
= strv_parse_nulstr(c
->cmdline
, c
->cmdline_size
);
544 if (!c
->cmdline_array
)
548 *cmdline
= c
->cmdline_array
;
552 _public_
int sd_bus_creds_get_audit_session_id(sd_bus_creds
*c
, uint32_t *sessionid
) {
553 assert_return(c
, -EINVAL
);
554 assert_return(sessionid
, -EINVAL
);
556 if (!(c
->mask
& SD_BUS_CREDS_AUDIT_SESSION_ID
))
559 if (!audit_session_is_valid(c
->audit_session_id
))
562 *sessionid
= c
->audit_session_id
;
566 _public_
int sd_bus_creds_get_audit_login_uid(sd_bus_creds
*c
, uid_t
*uid
) {
567 assert_return(c
, -EINVAL
);
568 assert_return(uid
, -EINVAL
);
570 if (!(c
->mask
& SD_BUS_CREDS_AUDIT_LOGIN_UID
))
573 if (!uid_is_valid(c
->audit_login_uid
))
576 *uid
= c
->audit_login_uid
;
580 _public_
int sd_bus_creds_get_tty(sd_bus_creds
*c
, const char **ret
) {
581 assert_return(c
, -EINVAL
);
582 assert_return(ret
, -EINVAL
);
584 if (!(c
->mask
& SD_BUS_CREDS_TTY
))
594 _public_
int sd_bus_creds_get_unique_name(sd_bus_creds
*c
, const char **unique_name
) {
595 assert_return(c
, -EINVAL
);
596 assert_return(unique_name
, -EINVAL
);
598 if (!(c
->mask
& SD_BUS_CREDS_UNIQUE_NAME
))
601 *unique_name
= c
->unique_name
;
605 _public_
int sd_bus_creds_get_well_known_names(sd_bus_creds
*c
, char ***well_known_names
) {
606 assert_return(c
, -EINVAL
);
607 assert_return(well_known_names
, -EINVAL
);
609 if (!(c
->mask
& SD_BUS_CREDS_WELL_KNOWN_NAMES
))
612 /* As a special hack we return the bus driver as well-known
613 * names list when this is requested. */
614 if (c
->well_known_names_driver
) {
615 static const char* const wkn
[] = {
616 "org.freedesktop.DBus",
620 *well_known_names
= (char**) wkn
;
624 if (c
->well_known_names_local
) {
625 static const char* const wkn
[] = {
626 "org.freedesktop.DBus.Local",
630 *well_known_names
= (char**) wkn
;
634 *well_known_names
= c
->well_known_names
;
638 _public_
int sd_bus_creds_get_description(sd_bus_creds
*c
, const char **ret
) {
639 assert_return(c
, -EINVAL
);
640 assert_return(ret
, -EINVAL
);
642 if (!(c
->mask
& SD_BUS_CREDS_DESCRIPTION
))
645 assert(c
->description
);
647 if (!c
->unescaped_description
) {
648 c
->unescaped_description
= bus_label_unescape(c
->description
);
649 if (!c
->unescaped_description
)
653 *ret
= c
->unescaped_description
;
657 static int has_cap(sd_bus_creds
*c
, unsigned offset
, int capability
) {
661 assert(capability
>= 0);
662 assert(c
->capability
);
664 if ((unsigned) capability
> cap_last_cap())
667 sz
= DIV_ROUND_UP(cap_last_cap(), 32U);
669 return !!(c
->capability
[offset
* sz
+ CAP_TO_INDEX(capability
)] & CAP_TO_MASK(capability
));
672 _public_
int sd_bus_creds_has_effective_cap(sd_bus_creds
*c
, int capability
) {
673 assert_return(c
, -EINVAL
);
674 assert_return(capability
>= 0, -EINVAL
);
676 if (!(c
->mask
& SD_BUS_CREDS_EFFECTIVE_CAPS
))
679 return has_cap(c
, CAP_OFFSET_EFFECTIVE
, capability
);
682 _public_
int sd_bus_creds_has_permitted_cap(sd_bus_creds
*c
, int capability
) {
683 assert_return(c
, -EINVAL
);
684 assert_return(capability
>= 0, -EINVAL
);
686 if (!(c
->mask
& SD_BUS_CREDS_PERMITTED_CAPS
))
689 return has_cap(c
, CAP_OFFSET_PERMITTED
, capability
);
692 _public_
int sd_bus_creds_has_inheritable_cap(sd_bus_creds
*c
, int capability
) {
693 assert_return(c
, -EINVAL
);
694 assert_return(capability
>= 0, -EINVAL
);
696 if (!(c
->mask
& SD_BUS_CREDS_INHERITABLE_CAPS
))
699 return has_cap(c
, CAP_OFFSET_INHERITABLE
, capability
);
702 _public_
int sd_bus_creds_has_bounding_cap(sd_bus_creds
*c
, int capability
) {
703 assert_return(c
, -EINVAL
);
704 assert_return(capability
>= 0, -EINVAL
);
706 if (!(c
->mask
& SD_BUS_CREDS_BOUNDING_CAPS
))
709 return has_cap(c
, CAP_OFFSET_BOUNDING
, capability
);
712 static int parse_caps(sd_bus_creds
*c
, unsigned offset
, const char *p
) {
719 max
= DIV_ROUND_UP(cap_last_cap(), 32U);
720 p
+= strspn(p
, WHITESPACE
);
730 if (!c
->capability
) {
731 c
->capability
= new0(uint32_t, max
* 4);
736 for (i
= 0; i
< sz
; i
++) {
739 for (j
= 0; j
< 8; ++j
) {
749 c
->capability
[offset
* max
+ (sz
- i
- 1)] = v
;
755 int bus_creds_add_more(sd_bus_creds
*c
, uint64_t mask
, pid_t pid
, pid_t tid
) {
760 assert(c
->allocated
);
762 if (!(mask
& SD_BUS_CREDS_AUGMENT
))
765 /* Try to retrieve PID from creds if it wasn't passed to us */
768 c
->mask
|= SD_BUS_CREDS_PID
;
769 } else if (c
->mask
& SD_BUS_CREDS_PID
)
772 /* Without pid we cannot do much... */
775 /* Try to retrieve TID from creds if it wasn't passed to us */
776 if (tid
<= 0 && (c
->mask
& SD_BUS_CREDS_TID
))
779 /* Calculate what we shall and can add */
780 missing
= mask
& ~(c
->mask
|SD_BUS_CREDS_PID
|SD_BUS_CREDS_TID
|SD_BUS_CREDS_UNIQUE_NAME
|SD_BUS_CREDS_WELL_KNOWN_NAMES
|SD_BUS_CREDS_DESCRIPTION
|SD_BUS_CREDS_AUGMENT
);
786 c
->mask
|= SD_BUS_CREDS_TID
;
789 if (missing
& (SD_BUS_CREDS_PPID
|
790 SD_BUS_CREDS_UID
| SD_BUS_CREDS_EUID
| SD_BUS_CREDS_SUID
| SD_BUS_CREDS_FSUID
|
791 SD_BUS_CREDS_GID
| SD_BUS_CREDS_EGID
| SD_BUS_CREDS_SGID
| SD_BUS_CREDS_FSGID
|
792 SD_BUS_CREDS_SUPPLEMENTARY_GIDS
|
793 SD_BUS_CREDS_EFFECTIVE_CAPS
| SD_BUS_CREDS_INHERITABLE_CAPS
|
794 SD_BUS_CREDS_PERMITTED_CAPS
| SD_BUS_CREDS_BOUNDING_CAPS
)) {
796 _cleanup_fclose_
FILE *f
= NULL
;
799 p
= procfs_file_alloca(pid
, "status");
805 else if (!IN_SET(errno
, EPERM
, EACCES
))
810 FOREACH_LINE(line
, f
, return -errno
) {
813 if (missing
& SD_BUS_CREDS_PPID
) {
814 p
= startswith(line
, "PPid:");
816 p
+= strspn(p
, WHITESPACE
);
818 /* Explicitly check for PPID 0 (which is the case for PID 1) */
819 if (!streq(p
, "0")) {
820 r
= parse_pid(p
, &c
->ppid
);
827 c
->mask
|= SD_BUS_CREDS_PPID
;
832 if (missing
& (SD_BUS_CREDS_UID
|SD_BUS_CREDS_EUID
|SD_BUS_CREDS_SUID
|SD_BUS_CREDS_FSUID
)) {
833 p
= startswith(line
, "Uid:");
835 unsigned long uid
, euid
, suid
, fsuid
;
837 p
+= strspn(p
, WHITESPACE
);
838 if (sscanf(p
, "%lu %lu %lu %lu", &uid
, &euid
, &suid
, &fsuid
) != 4)
841 if (missing
& SD_BUS_CREDS_UID
)
842 c
->uid
= (uid_t
) uid
;
843 if (missing
& SD_BUS_CREDS_EUID
)
844 c
->euid
= (uid_t
) euid
;
845 if (missing
& SD_BUS_CREDS_SUID
)
846 c
->suid
= (uid_t
) suid
;
847 if (missing
& SD_BUS_CREDS_FSUID
)
848 c
->fsuid
= (uid_t
) fsuid
;
850 c
->mask
|= missing
& (SD_BUS_CREDS_UID
|SD_BUS_CREDS_EUID
|SD_BUS_CREDS_SUID
|SD_BUS_CREDS_FSUID
);
855 if (missing
& (SD_BUS_CREDS_GID
|SD_BUS_CREDS_EGID
|SD_BUS_CREDS_SGID
|SD_BUS_CREDS_FSGID
)) {
856 p
= startswith(line
, "Gid:");
858 unsigned long gid
, egid
, sgid
, fsgid
;
860 p
+= strspn(p
, WHITESPACE
);
861 if (sscanf(p
, "%lu %lu %lu %lu", &gid
, &egid
, &sgid
, &fsgid
) != 4)
864 if (missing
& SD_BUS_CREDS_GID
)
865 c
->gid
= (gid_t
) gid
;
866 if (missing
& SD_BUS_CREDS_EGID
)
867 c
->egid
= (gid_t
) egid
;
868 if (missing
& SD_BUS_CREDS_SGID
)
869 c
->sgid
= (gid_t
) sgid
;
870 if (missing
& SD_BUS_CREDS_FSGID
)
871 c
->fsgid
= (gid_t
) fsgid
;
873 c
->mask
|= missing
& (SD_BUS_CREDS_GID
|SD_BUS_CREDS_EGID
|SD_BUS_CREDS_SGID
|SD_BUS_CREDS_FSGID
);
878 if (missing
& SD_BUS_CREDS_SUPPLEMENTARY_GIDS
) {
879 p
= startswith(line
, "Groups:");
881 size_t allocated
= 0;
887 p
+= strspn(p
, WHITESPACE
);
891 if (sscanf(p
, "%lu%n", &g
, &n
) != 1)
894 if (!GREEDY_REALLOC(c
->supplementary_gids
, allocated
, c
->n_supplementary_gids
+1))
897 c
->supplementary_gids
[c
->n_supplementary_gids
++] = (gid_t
) g
;
901 c
->mask
|= SD_BUS_CREDS_SUPPLEMENTARY_GIDS
;
906 if (missing
& SD_BUS_CREDS_EFFECTIVE_CAPS
) {
907 p
= startswith(line
, "CapEff:");
909 r
= parse_caps(c
, CAP_OFFSET_EFFECTIVE
, p
);
913 c
->mask
|= SD_BUS_CREDS_EFFECTIVE_CAPS
;
918 if (missing
& SD_BUS_CREDS_PERMITTED_CAPS
) {
919 p
= startswith(line
, "CapPrm:");
921 r
= parse_caps(c
, CAP_OFFSET_PERMITTED
, p
);
925 c
->mask
|= SD_BUS_CREDS_PERMITTED_CAPS
;
930 if (missing
& SD_BUS_CREDS_INHERITABLE_CAPS
) {
931 p
= startswith(line
, "CapInh:");
933 r
= parse_caps(c
, CAP_OFFSET_INHERITABLE
, p
);
937 c
->mask
|= SD_BUS_CREDS_INHERITABLE_CAPS
;
942 if (missing
& SD_BUS_CREDS_BOUNDING_CAPS
) {
943 p
= startswith(line
, "CapBnd:");
945 r
= parse_caps(c
, CAP_OFFSET_BOUNDING
, p
);
949 c
->mask
|= SD_BUS_CREDS_BOUNDING_CAPS
;
957 if (missing
& SD_BUS_CREDS_SELINUX_CONTEXT
) {
960 p
= procfs_file_alloca(pid
, "attr/current");
961 r
= read_one_line_file(p
, &c
->label
);
963 if (!IN_SET(r
, -ENOENT
, -EINVAL
, -EPERM
, -EACCES
))
966 c
->mask
|= SD_BUS_CREDS_SELINUX_CONTEXT
;
969 if (missing
& SD_BUS_CREDS_COMM
) {
970 r
= get_process_comm(pid
, &c
->comm
);
972 if (!IN_SET(r
, -EPERM
, -EACCES
))
975 c
->mask
|= SD_BUS_CREDS_COMM
;
978 if (missing
& SD_BUS_CREDS_EXE
) {
979 r
= get_process_exe(pid
, &c
->exe
);
981 /* Unfortunately we cannot really distinguish
982 * the case here where the process does not
983 * exist, and /proc/$PID/exe being unreadable
984 * because $PID is a kernel thread. Hence,
985 * assume it is a kernel thread, and rely on
986 * that this case is caught with a later
989 c
->mask
|= SD_BUS_CREDS_EXE
;
991 if (!IN_SET(r
, -EPERM
, -EACCES
))
994 c
->mask
|= SD_BUS_CREDS_EXE
;
997 if (missing
& SD_BUS_CREDS_CMDLINE
) {
1000 p
= procfs_file_alloca(pid
, "cmdline");
1001 r
= read_full_file(p
, &c
->cmdline
, &c
->cmdline_size
);
1005 if (!IN_SET(r
, -EPERM
, -EACCES
))
1008 if (c
->cmdline_size
== 0)
1009 c
->cmdline
= mfree(c
->cmdline
);
1011 c
->mask
|= SD_BUS_CREDS_CMDLINE
;
1015 if (tid
> 0 && (missing
& SD_BUS_CREDS_TID_COMM
)) {
1016 _cleanup_free_
char *p
= NULL
;
1018 if (asprintf(&p
, "/proc/"PID_FMT
"/task/"PID_FMT
"/comm", pid
, tid
) < 0)
1021 r
= read_one_line_file(p
, &c
->tid_comm
);
1025 if (!IN_SET(r
, -EPERM
, -EACCES
))
1028 c
->mask
|= SD_BUS_CREDS_TID_COMM
;
1031 if (missing
& (SD_BUS_CREDS_CGROUP
|SD_BUS_CREDS_UNIT
|SD_BUS_CREDS_USER_UNIT
|SD_BUS_CREDS_SLICE
|SD_BUS_CREDS_USER_SLICE
|SD_BUS_CREDS_SESSION
|SD_BUS_CREDS_OWNER_UID
)) {
1034 r
= cg_pid_get_path(NULL
, pid
, &c
->cgroup
);
1036 if (!IN_SET(r
, -EPERM
, -EACCES
))
1041 if (!c
->cgroup_root
) {
1042 r
= cg_get_root_path(&c
->cgroup_root
);
1048 c
->mask
|= missing
& (SD_BUS_CREDS_CGROUP
|SD_BUS_CREDS_UNIT
|SD_BUS_CREDS_USER_UNIT
|SD_BUS_CREDS_SLICE
|SD_BUS_CREDS_USER_SLICE
|SD_BUS_CREDS_SESSION
|SD_BUS_CREDS_OWNER_UID
);
1051 if (missing
& SD_BUS_CREDS_AUDIT_SESSION_ID
) {
1052 r
= audit_session_from_pid(pid
, &c
->audit_session_id
);
1053 if (r
== -ENODATA
) {
1054 /* ENODATA means: no audit session id assigned */
1055 c
->audit_session_id
= AUDIT_SESSION_INVALID
;
1056 c
->mask
|= SD_BUS_CREDS_AUDIT_SESSION_ID
;
1058 if (!IN_SET(r
, -EOPNOTSUPP
, -ENOENT
, -EPERM
, -EACCES
))
1061 c
->mask
|= SD_BUS_CREDS_AUDIT_SESSION_ID
;
1064 if (missing
& SD_BUS_CREDS_AUDIT_LOGIN_UID
) {
1065 r
= audit_loginuid_from_pid(pid
, &c
->audit_login_uid
);
1066 if (r
== -ENODATA
) {
1067 /* ENODATA means: no audit login uid assigned */
1068 c
->audit_login_uid
= UID_INVALID
;
1069 c
->mask
|= SD_BUS_CREDS_AUDIT_LOGIN_UID
;
1071 if (!IN_SET(r
, -EOPNOTSUPP
, -ENOENT
, -EPERM
, -EACCES
))
1074 c
->mask
|= SD_BUS_CREDS_AUDIT_LOGIN_UID
;
1077 if (missing
& SD_BUS_CREDS_TTY
) {
1078 r
= get_ctty(pid
, NULL
, &c
->tty
);
1080 /* ENXIO means: process has no controlling TTY */
1082 c
->mask
|= SD_BUS_CREDS_TTY
;
1084 if (!IN_SET(r
, -EPERM
, -EACCES
, -ENOENT
))
1087 c
->mask
|= SD_BUS_CREDS_TTY
;
1090 /* In case only the exe path was to be read we cannot
1091 * distinguish the case where the exe path was unreadable
1092 * because the process was a kernel thread, or when the
1093 * process didn't exist at all. Hence, let's do a final check,
1095 if (!pid_is_alive(pid
))
1098 if (tid
> 0 && tid
!= pid
&& !pid_is_unwaited(tid
))
1101 c
->augmented
= missing
& c
->mask
;
1106 int bus_creds_extend_by_pid(sd_bus_creds
*c
, uint64_t mask
, sd_bus_creds
**ret
) {
1107 _cleanup_(sd_bus_creds_unrefp
) sd_bus_creds
*n
= NULL
;
1113 if ((mask
& ~c
->mask
) == 0 || (!(mask
& SD_BUS_CREDS_AUGMENT
))) {
1114 /* There's already all data we need, or augmentation
1115 * wasn't turned on. */
1117 *ret
= sd_bus_creds_ref(c
);
1121 n
= bus_creds_new();
1125 /* Copy the original data over */
1127 if (c
->mask
& mask
& SD_BUS_CREDS_PID
) {
1129 n
->mask
|= SD_BUS_CREDS_PID
;
1132 if (c
->mask
& mask
& SD_BUS_CREDS_TID
) {
1134 n
->mask
|= SD_BUS_CREDS_TID
;
1137 if (c
->mask
& mask
& SD_BUS_CREDS_PPID
) {
1139 n
->mask
|= SD_BUS_CREDS_PPID
;
1142 if (c
->mask
& mask
& SD_BUS_CREDS_UID
) {
1144 n
->mask
|= SD_BUS_CREDS_UID
;
1147 if (c
->mask
& mask
& SD_BUS_CREDS_EUID
) {
1149 n
->mask
|= SD_BUS_CREDS_EUID
;
1152 if (c
->mask
& mask
& SD_BUS_CREDS_SUID
) {
1154 n
->mask
|= SD_BUS_CREDS_SUID
;
1157 if (c
->mask
& mask
& SD_BUS_CREDS_FSUID
) {
1158 n
->fsuid
= c
->fsuid
;
1159 n
->mask
|= SD_BUS_CREDS_FSUID
;
1162 if (c
->mask
& mask
& SD_BUS_CREDS_GID
) {
1164 n
->mask
|= SD_BUS_CREDS_GID
;
1167 if (c
->mask
& mask
& SD_BUS_CREDS_EGID
) {
1169 n
->mask
|= SD_BUS_CREDS_EGID
;
1172 if (c
->mask
& mask
& SD_BUS_CREDS_SGID
) {
1174 n
->mask
|= SD_BUS_CREDS_SGID
;
1177 if (c
->mask
& mask
& SD_BUS_CREDS_FSGID
) {
1178 n
->fsgid
= c
->fsgid
;
1179 n
->mask
|= SD_BUS_CREDS_FSGID
;
1182 if (c
->mask
& mask
& SD_BUS_CREDS_SUPPLEMENTARY_GIDS
) {
1183 if (c
->supplementary_gids
) {
1184 n
->supplementary_gids
= newdup(gid_t
, c
->supplementary_gids
, c
->n_supplementary_gids
);
1185 if (!n
->supplementary_gids
)
1187 n
->n_supplementary_gids
= c
->n_supplementary_gids
;
1189 n
->supplementary_gids
= NULL
;
1190 n
->n_supplementary_gids
= 0;
1193 n
->mask
|= SD_BUS_CREDS_SUPPLEMENTARY_GIDS
;
1196 if (c
->mask
& mask
& SD_BUS_CREDS_COMM
) {
1199 n
->comm
= strdup(c
->comm
);
1203 n
->mask
|= SD_BUS_CREDS_COMM
;
1206 if (c
->mask
& mask
& SD_BUS_CREDS_TID_COMM
) {
1207 assert(c
->tid_comm
);
1209 n
->tid_comm
= strdup(c
->tid_comm
);
1213 n
->mask
|= SD_BUS_CREDS_TID_COMM
;
1216 if (c
->mask
& mask
& SD_BUS_CREDS_EXE
) {
1218 n
->exe
= strdup(c
->exe
);
1224 n
->mask
|= SD_BUS_CREDS_EXE
;
1227 if (c
->mask
& mask
& SD_BUS_CREDS_CMDLINE
) {
1229 n
->cmdline
= memdup(c
->cmdline
, c
->cmdline_size
);
1233 n
->cmdline_size
= c
->cmdline_size
;
1236 n
->cmdline_size
= 0;
1239 n
->mask
|= SD_BUS_CREDS_CMDLINE
;
1242 if (c
->mask
& mask
& (SD_BUS_CREDS_CGROUP
|SD_BUS_CREDS_SESSION
|SD_BUS_CREDS_UNIT
|SD_BUS_CREDS_USER_UNIT
|SD_BUS_CREDS_SLICE
|SD_BUS_CREDS_USER_SLICE
|SD_BUS_CREDS_OWNER_UID
)) {
1245 n
->cgroup
= strdup(c
->cgroup
);
1249 n
->cgroup_root
= strdup(c
->cgroup_root
);
1250 if (!n
->cgroup_root
)
1253 n
->mask
|= mask
& (SD_BUS_CREDS_CGROUP
|SD_BUS_CREDS_SESSION
|SD_BUS_CREDS_UNIT
|SD_BUS_CREDS_USER_UNIT
|SD_BUS_CREDS_SLICE
|SD_BUS_CREDS_USER_SLICE
|SD_BUS_CREDS_OWNER_UID
);
1256 if (c
->mask
& mask
& (SD_BUS_CREDS_EFFECTIVE_CAPS
|SD_BUS_CREDS_PERMITTED_CAPS
|SD_BUS_CREDS_INHERITABLE_CAPS
|SD_BUS_CREDS_BOUNDING_CAPS
)) {
1257 assert(c
->capability
);
1259 n
->capability
= memdup(c
->capability
, DIV_ROUND_UP(cap_last_cap(), 32U) * 4 * 4);
1263 n
->mask
|= c
->mask
& mask
& (SD_BUS_CREDS_EFFECTIVE_CAPS
|SD_BUS_CREDS_PERMITTED_CAPS
|SD_BUS_CREDS_INHERITABLE_CAPS
|SD_BUS_CREDS_BOUNDING_CAPS
);
1266 if (c
->mask
& mask
& SD_BUS_CREDS_SELINUX_CONTEXT
) {
1269 n
->label
= strdup(c
->label
);
1272 n
->mask
|= SD_BUS_CREDS_SELINUX_CONTEXT
;
1275 if (c
->mask
& mask
& SD_BUS_CREDS_AUDIT_SESSION_ID
) {
1276 n
->audit_session_id
= c
->audit_session_id
;
1277 n
->mask
|= SD_BUS_CREDS_AUDIT_SESSION_ID
;
1279 if (c
->mask
& mask
& SD_BUS_CREDS_AUDIT_LOGIN_UID
) {
1280 n
->audit_login_uid
= c
->audit_login_uid
;
1281 n
->mask
|= SD_BUS_CREDS_AUDIT_LOGIN_UID
;
1284 if (c
->mask
& mask
& SD_BUS_CREDS_TTY
) {
1286 n
->tty
= strdup(c
->tty
);
1291 n
->mask
|= SD_BUS_CREDS_TTY
;
1294 if (c
->mask
& mask
& SD_BUS_CREDS_UNIQUE_NAME
) {
1295 assert(c
->unique_name
);
1297 n
->unique_name
= strdup(c
->unique_name
);
1298 if (!n
->unique_name
)
1300 n
->mask
|= SD_BUS_CREDS_UNIQUE_NAME
;
1303 if (c
->mask
& mask
& SD_BUS_CREDS_WELL_KNOWN_NAMES
) {
1304 if (strv_isempty(c
->well_known_names
))
1305 n
->well_known_names
= NULL
;
1307 n
->well_known_names
= strv_copy(c
->well_known_names
);
1308 if (!n
->well_known_names
)
1311 n
->well_known_names_driver
= c
->well_known_names_driver
;
1312 n
->well_known_names_local
= c
->well_known_names_local
;
1313 n
->mask
|= SD_BUS_CREDS_WELL_KNOWN_NAMES
;
1316 if (c
->mask
& mask
& SD_BUS_CREDS_DESCRIPTION
) {
1317 assert(c
->description
);
1318 n
->description
= strdup(c
->description
);
1319 if (!n
->description
)
1321 n
->mask
|= SD_BUS_CREDS_DESCRIPTION
;
1324 n
->augmented
= c
->augmented
& n
->mask
;
1328 r
= bus_creds_add_more(n
, mask
, 0, 0);