]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/libsystemd/sd-device/device-monitor.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
device-util: Declare iterator variables inline
[thirdparty/systemd.git] / src / libsystemd / sd-device / device-monitor.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <errno.h>
4 #include <linux/filter.h>
5 #include <linux/netlink.h>
6 #include <linux/sockios.h>
7 #include <sys/ioctl.h>
8 #include <unistd.h>
9
10 #include "sd-device.h"
11 #include "sd-event.h"
12
13 #include "MurmurHash2.h"
14 #include "alloc-util.h"
15 #include "device-filter.h"
16 #include "device-monitor-private.h"
17 #include "device-private.h"
18 #include "device-util.h"
19 #include "errno-util.h"
20 #include "fd-util.h"
21 #include "format-util.h"
22 #include "hashmap.h"
23 #include "io-util.h"
24 #include "missing_socket.h"
25 #include "mountpoint-util.h"
26 #include "set.h"
27 #include "socket-util.h"
28 #include "stat-util.h"
29 #include "string-util.h"
30 #include "strv.h"
31 #include "uid-range.h"
32
33 #define log_monitor(m, format, ...) \
34 log_debug("sd-device-monitor(%s): " format, strna(m ? m->description : NULL), ##__VA_ARGS__)
35 #define log_monitor_errno(m, r, format, ...) \
36 log_debug_errno(r, "sd-device-monitor(%s): " format, strna(m ? m->description : NULL), ##__VA_ARGS__)
37 #define log_device_monitor(d, m, format, ...) \
38 log_device_debug(d, "sd-device-monitor(%s): " format, strna(m ? m->description : NULL), ##__VA_ARGS__)
39 #define log_device_monitor_errno(d, m, r, format, ...) \
40 log_device_debug_errno(d, r, "sd-device-monitor(%s): " format, strna(m ? m->description : NULL), ##__VA_ARGS__)
41
42 struct sd_device_monitor {
43 unsigned n_ref;
44
45 int sock;
46 union sockaddr_union snl;
47 union sockaddr_union snl_trusted_sender;
48 bool bound;
49
50 UidRange *mapped_userns_uid_range;
51
52 Hashmap *subsystem_filter;
53 Set *tag_filter;
54 Hashmap *match_sysattr_filter;
55 Hashmap *nomatch_sysattr_filter;
56 Set *match_parent_filter;
57 Set *nomatch_parent_filter;
58 bool filter_uptodate;
59
60 sd_event *event;
61 sd_event_source *event_source;
62 char *description;
63 sd_device_monitor_handler_t callback;
64 void *userdata;
65 };
66
67 #define UDEV_MONITOR_MAGIC 0xfeedcafe
68
69 typedef struct monitor_netlink_header {
70 /* "libudev" prefix to distinguish libudev and kernel messages */
71 char prefix[8];
72 /* Magic to protect against daemon <-> Library message format mismatch
73 * Used in the kernel from socket filter rules; needs to be stored in network order */
74 unsigned magic;
75 /* Total length of header structure known to the sender */
76 unsigned header_size;
77 /* Properties string buffer */
78 unsigned properties_off;
79 unsigned properties_len;
80 /* Hashes of primary device properties strings, to let libudev subscribers
81 * use in-kernel socket filters; values need to be stored in network order */
82 unsigned filter_subsystem_hash;
83 unsigned filter_devtype_hash;
84 unsigned filter_tag_bloom_hi;
85 unsigned filter_tag_bloom_lo;
86 } monitor_netlink_header;
87
88 static int monitor_set_nl_address(sd_device_monitor *m) {
89 union sockaddr_union snl;
90 socklen_t addrlen;
91
92 assert(m);
93
94 /* Get the address the kernel has assigned us.
95 * It is usually, but not necessarily the pid. */
96 addrlen = sizeof(struct sockaddr_nl);
97 if (getsockname(m->sock, &snl.sa, &addrlen) < 0)
98 return -errno;
99
100 m->snl.nl.nl_pid = snl.nl.nl_pid;
101 return 0;
102 }
103
104 int device_monitor_allow_unicast_sender(sd_device_monitor *m, sd_device_monitor *sender) {
105 assert(m);
106 assert(sender);
107
108 m->snl_trusted_sender.nl.nl_pid = sender->snl.nl.nl_pid;
109 return 0;
110 }
111
112 _public_ int sd_device_monitor_set_receive_buffer_size(sd_device_monitor *m, size_t size) {
113 assert_return(m, -EINVAL);
114
115 return fd_set_rcvbuf(m->sock, size, false);
116 }
117
118 int device_monitor_disconnect(sd_device_monitor *m) {
119 assert(m);
120
121 m->sock = safe_close(m->sock);
122 return 0;
123 }
124
125 int device_monitor_get_fd(sd_device_monitor *m) {
126 assert(m);
127
128 return m->sock;
129 }
130
131 int device_monitor_new_full(sd_device_monitor **ret, MonitorNetlinkGroup group, int fd) {
132 _cleanup_(sd_device_monitor_unrefp) sd_device_monitor *m = NULL;
133 _cleanup_close_ int sock = -EBADF;
134 int r;
135
136 assert(group >= 0 && group < _MONITOR_NETLINK_GROUP_MAX);
137 assert_return(ret, -EINVAL);
138
139 if (group == MONITOR_GROUP_UDEV &&
140 access("/run/udev/control", F_OK) < 0 &&
141 dev_is_devtmpfs() <= 0) {
142
143 /*
144 * We do not support subscribing to uevents if no instance of
145 * udev is running. Uevents would otherwise broadcast the
146 * processing data of the host into containers, which is not
147 * desired.
148 *
149 * Containers will currently not get any udev uevents, until
150 * a supporting infrastructure is available.
151 *
152 * We do not set a netlink multicast group here, so the socket
153 * will not receive any messages.
154 */
155
156 log_monitor(m, "The udev service seems not to be active, disabling the monitor.");
157 group = MONITOR_GROUP_NONE;
158 }
159
160 if (fd < 0) {
161 sock = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT);
162 if (sock < 0)
163 return log_monitor_errno(m, errno, "Failed to create socket: %m");
164 }
165
166 m = new(sd_device_monitor, 1);
167 if (!m)
168 return -ENOMEM;
169
170 *m = (sd_device_monitor) {
171 .n_ref = 1,
172 .sock = fd >= 0 ? fd : TAKE_FD(sock),
173 .bound = fd >= 0,
174 .snl.nl.nl_family = AF_NETLINK,
175 .snl.nl.nl_groups = group,
176 };
177
178 if (fd >= 0) {
179 r = monitor_set_nl_address(m);
180 if (r < 0) {
181 log_monitor_errno(m, r, "Failed to set netlink address: %m");
182 goto fail;
183 }
184 }
185
186 if (DEBUG_LOGGING) {
187 _cleanup_close_ int netns = -EBADF;
188
189 /* So here's the thing: only AF_NETLINK sockets from the main network namespace will get
190 * hardware events. Let's check if ours is from there, and if not generate a debug message,
191 * since we cannot possibly work correctly otherwise. This is just a safety check to make
192 * things easier to debug. */
193
194 netns = ioctl(m->sock, SIOCGSKNS);
195 if (netns < 0)
196 log_monitor_errno(m, errno, "Unable to get network namespace of udev netlink socket, unable to determine if we are in host netns, ignoring: %m");
197 else {
198 struct stat a, b;
199
200 if (fstat(netns, &a) < 0) {
201 r = log_monitor_errno(m, errno, "Failed to stat netns of udev netlink socket: %m");
202 goto fail;
203 }
204
205 if (stat("/proc/1/ns/net", &b) < 0) {
206 if (ERRNO_IS_PRIVILEGE(errno))
207 /* If we can't access PID1's netns info due to permissions, it's fine, this is a
208 * safety check only after all. */
209 log_monitor_errno(m, errno, "No permission to stat PID1's netns, unable to determine if we are in host netns, ignoring: %m");
210 else
211 log_monitor_errno(m, errno, "Failed to stat PID1's netns, ignoring: %m");
212
213 } else if (!stat_inode_same(&a, &b))
214 log_monitor(m, "Netlink socket we listen on is not from host netns, we won't see device events.");
215 }
216 }
217
218 *ret = TAKE_PTR(m);
219 return 0;
220
221 fail:
222 /* Let's unset the socket fd in the monitor object before we destroy it so that the fd passed in is
223 * not closed on failure. */
224 if (fd >= 0)
225 m->sock = -1;
226
227 return r;
228 }
229
230 _public_ int sd_device_monitor_new(sd_device_monitor **ret) {
231 return device_monitor_new_full(ret, MONITOR_GROUP_UDEV, -1);
232 }
233
234 _public_ int sd_device_monitor_stop(sd_device_monitor *m) {
235 assert_return(m, -EINVAL);
236
237 m->event_source = sd_event_source_unref(m->event_source);
238 (void) device_monitor_disconnect(m);
239
240 return 0;
241 }
242
243 static int device_monitor_event_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
244 _cleanup_(sd_device_unrefp) sd_device *device = NULL;
245 _unused_ _cleanup_(log_context_unrefp) LogContext *c = NULL;
246 sd_device_monitor *m = ASSERT_PTR(userdata);
247
248 if (device_monitor_receive_device(m, &device) <= 0)
249 return 0;
250
251 if (log_context_enabled())
252 c = log_context_new_strv_consume(device_make_log_fields(device));
253
254 if (m->callback)
255 return m->callback(m, device, m->userdata);
256
257 return 0;
258 }
259
260 _public_ int sd_device_monitor_start(sd_device_monitor *m, sd_device_monitor_handler_t callback, void *userdata) {
261 int r;
262
263 assert_return(m, -EINVAL);
264
265 if (!m->event) {
266 r = sd_device_monitor_attach_event(m, NULL);
267 if (r < 0)
268 return r;
269 }
270
271 r = device_monitor_enable_receiving(m);
272 if (r < 0)
273 return r;
274
275 m->callback = callback;
276 m->userdata = userdata;
277
278 r = sd_event_add_io(m->event, &m->event_source, m->sock, EPOLLIN, device_monitor_event_handler, m);
279 if (r < 0)
280 return r;
281
282 (void) sd_event_source_set_description(m->event_source, m->description ?: "sd-device-monitor");
283
284 return 0;
285 }
286
287 _public_ int sd_device_monitor_detach_event(sd_device_monitor *m) {
288 assert_return(m, -EINVAL);
289
290 (void) sd_device_monitor_stop(m);
291 m->event = sd_event_unref(m->event);
292
293 return 0;
294 }
295
296 _public_ int sd_device_monitor_attach_event(sd_device_monitor *m, sd_event *event) {
297 int r;
298
299 assert_return(m, -EINVAL);
300 assert_return(!m->event, -EBUSY);
301
302 if (event)
303 m->event = sd_event_ref(event);
304 else {
305 r = sd_event_default(&m->event);
306 if (r < 0)
307 return r;
308 }
309
310 return 0;
311 }
312
313 _public_ sd_event *sd_device_monitor_get_event(sd_device_monitor *m) {
314 assert_return(m, NULL);
315
316 return m->event;
317 }
318
319 _public_ sd_event_source *sd_device_monitor_get_event_source(sd_device_monitor *m) {
320 assert_return(m, NULL);
321
322 return m->event_source;
323 }
324
325 _public_ int sd_device_monitor_set_description(sd_device_monitor *m, const char *description) {
326 int r;
327
328 assert_return(m, -EINVAL);
329
330 r = free_and_strdup(&m->description, description);
331 if (r <= 0)
332 return r;
333
334 if (m->event_source)
335 (void) sd_event_source_set_description(m->event_source, description);
336
337 return r;
338 }
339
340 _public_ int sd_device_monitor_get_description(sd_device_monitor *m, const char **ret) {
341 assert_return(m, -EINVAL);
342 assert_return(ret, -EINVAL);
343
344 *ret = m->description;
345 return 0;
346 }
347
348 int device_monitor_enable_receiving(sd_device_monitor *m) {
349 int r;
350
351 assert(m);
352
353 r = sd_device_monitor_filter_update(m);
354 if (r < 0)
355 return log_monitor_errno(m, r, "Failed to update filter: %m");
356
357 if (!m->bound) {
358 /* enable receiving of sender credentials */
359 r = setsockopt_int(m->sock, SOL_SOCKET, SO_PASSCRED, true);
360 if (r < 0)
361 return log_monitor_errno(m, r, "Failed to set socket option SO_PASSCRED: %m");
362
363 if (bind(m->sock, &m->snl.sa, sizeof(struct sockaddr_nl)) < 0)
364 return log_monitor_errno(m, errno, "Failed to bind monitoring socket: %m");
365
366 m->bound = true;
367
368 r = monitor_set_nl_address(m);
369 if (r < 0)
370 return log_monitor_errno(m, r, "Failed to set address: %m");
371 }
372
373 return 0;
374 }
375
376 static sd_device_monitor *device_monitor_free(sd_device_monitor *m) {
377 assert(m);
378
379 (void) sd_device_monitor_detach_event(m);
380
381 uid_range_free(m->mapped_userns_uid_range);
382 free(m->description);
383 hashmap_free(m->subsystem_filter);
384 set_free(m->tag_filter);
385 hashmap_free(m->match_sysattr_filter);
386 hashmap_free(m->nomatch_sysattr_filter);
387 set_free(m->match_parent_filter);
388 set_free(m->nomatch_parent_filter);
389
390 return mfree(m);
391 }
392
393 DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(sd_device_monitor, sd_device_monitor, device_monitor_free);
394
395 static int check_subsystem_filter(sd_device_monitor *m, sd_device *device) {
396 const char *s, *subsystem, *d, *devtype = NULL;
397 int r;
398
399 assert(m);
400 assert(device);
401
402 if (hashmap_isempty(m->subsystem_filter))
403 return true;
404
405 r = sd_device_get_subsystem(device, &subsystem);
406 if (r < 0)
407 return r;
408
409 r = sd_device_get_devtype(device, &devtype);
410 if (r < 0 && r != -ENOENT)
411 return r;
412
413 HASHMAP_FOREACH_KEY(d, s, m->subsystem_filter) {
414 if (!streq(s, subsystem))
415 continue;
416
417 if (!d || streq_ptr(d, devtype))
418 return true;
419 }
420
421 return false;
422 }
423
424 static bool check_tag_filter(sd_device_monitor *m, sd_device *device) {
425 const char *tag;
426
427 assert(m);
428 assert(device);
429
430 if (set_isempty(m->tag_filter))
431 return true;
432
433 SET_FOREACH(tag, m->tag_filter)
434 if (sd_device_has_tag(device, tag) > 0)
435 return true;
436
437 return false;
438 }
439
440 static int passes_filter(sd_device_monitor *m, sd_device *device) {
441 int r;
442
443 assert(m);
444 assert(device);
445
446 r = check_subsystem_filter(m, device);
447 if (r <= 0)
448 return r;
449
450 if (!check_tag_filter(m, device))
451 return false;
452
453 if (!device_match_sysattr(device, m->match_sysattr_filter, m->nomatch_sysattr_filter))
454 return false;
455
456 return device_match_parent(device, m->match_parent_filter, m->nomatch_parent_filter);
457 }
458
459 static bool check_sender_uid(sd_device_monitor *m, uid_t uid) {
460 int r;
461
462 assert(m);
463
464 /* Always trust messages from uid 0. */
465 if (uid == 0)
466 return true;
467
468 /* Trust messages sent by the same UID we are running. Currently, such situation happens only for
469 * unicast messages. */
470 if (uid == getuid() || uid == geteuid())
471 return true;
472
473 if (!m->mapped_userns_uid_range) {
474 r = uid_range_load_userns(&m->mapped_userns_uid_range, NULL);
475 if (r < 0)
476 log_monitor_errno(m, r, "Failed to load UID ranges mapped to the current user namespace, ignoring: %m");
477 }
478
479 /* Trust messages come from outside of the current user namespace. */
480 if (!uid_range_contains(m->mapped_userns_uid_range, uid))
481 return true;
482
483 /* Otherwise, refuse messages. */
484 return false;
485 }
486
487 int device_monitor_receive_device(sd_device_monitor *m, sd_device **ret) {
488 _cleanup_(sd_device_unrefp) sd_device *device = NULL;
489 _cleanup_free_ uint8_t *buf_alloc = NULL;
490 union {
491 monitor_netlink_header *nlh;
492 char *nulstr;
493 uint8_t *buf;
494 } message;
495 struct iovec iov;
496 CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred))) control;
497 union sockaddr_union snl;
498 struct msghdr smsg = {
499 .msg_iov = &iov,
500 .msg_iovlen = 1,
501 .msg_control = &control,
502 .msg_controllen = sizeof(control),
503 .msg_name = &snl,
504 .msg_namelen = sizeof(snl),
505 };
506 struct ucred *cred;
507 size_t offset;
508 ssize_t n;
509 bool is_initialized = false;
510 int r;
511
512 assert(m);
513 assert(ret);
514
515 n = next_datagram_size_fd(m->sock);
516 if (n < 0) {
517 if (!ERRNO_IS_TRANSIENT(n))
518 log_monitor_errno(m, n, "Failed to get the received message size: %m");
519 return n;
520 }
521
522 if ((size_t) n < ALLOCA_MAX / sizeof(uint8_t) / 2)
523 message.buf = newa(uint8_t, n);
524 else {
525 buf_alloc = new(uint8_t, n);
526 if (!buf_alloc)
527 return log_oom_debug();
528
529 message.buf = buf_alloc;
530 }
531
532 iov = IOVEC_MAKE(message.buf, n);
533
534 n = recvmsg(m->sock, &smsg, 0);
535 if (n < 0) {
536 if (!ERRNO_IS_TRANSIENT(errno))
537 log_monitor_errno(m, errno, "Failed to receive message: %m");
538 return -errno;
539 }
540
541 if (smsg.msg_flags & MSG_TRUNC)
542 return log_monitor_errno(m, SYNTHETIC_ERRNO(EINVAL), "Received truncated message, ignoring message.");
543
544 if (n < 32)
545 return log_monitor_errno(m, SYNTHETIC_ERRNO(EINVAL), "Invalid message length (%zi), ignoring message.", n);
546
547 if (snl.nl.nl_groups == MONITOR_GROUP_NONE) {
548 /* unicast message, check if we trust the sender */
549 if (m->snl_trusted_sender.nl.nl_pid == 0 ||
550 snl.nl.nl_pid != m->snl_trusted_sender.nl.nl_pid)
551 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN),
552 "Unicast netlink message ignored.");
553
554 } else if (snl.nl.nl_groups == MONITOR_GROUP_KERNEL) {
555 if (snl.nl.nl_pid > 0)
556 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN),
557 "Multicast kernel netlink message from PID %"PRIu32" ignored.",
558 snl.nl.nl_pid);
559 }
560
561 cred = CMSG_FIND_DATA(&smsg, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
562 if (!cred)
563 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN),
564 "No sender credentials received, ignoring message.");
565
566 if (!check_sender_uid(m, cred->uid))
567 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN),
568 "Sender uid="UID_FMT", message ignored.", cred->uid);
569
570 if (!memchr(message.buf, 0, n))
571 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN), "Received message without NUL, ignoring message.");
572
573 if (streq(message.nulstr, "libudev")) {
574 /* udev message needs proper version magic */
575 if (message.nlh->magic != htobe32(UDEV_MONITOR_MAGIC))
576 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN),
577 "Invalid message signature (%x != %x).",
578 message.nlh->magic, htobe32(UDEV_MONITOR_MAGIC));
579
580 if (message.nlh->properties_off + 32 > (size_t) n)
581 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN),
582 "Invalid offset for properties (%u > %zi).",
583 message.nlh->properties_off + 32, n);
584
585 offset = message.nlh->properties_off;
586
587 /* devices received from udev are always initialized */
588 is_initialized = true;
589
590 } else {
591 /* check kernel message header */
592 if (!strstr(message.nulstr, "@/"))
593 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN), "Invalid message header.");
594
595 offset = strlen(message.nulstr) + 1;
596 if (offset >= (size_t) n)
597 return log_monitor_errno(m, SYNTHETIC_ERRNO(EAGAIN), "Invalid message length.");
598 }
599
600 r = device_new_from_nulstr(&device, message.nulstr + offset, n - offset);
601 if (r < 0)
602 return log_monitor_errno(m, r, "Failed to create device from received message: %m");
603
604 if (is_initialized)
605 device_set_is_initialized(device);
606
607 /* Skip device, if it does not pass the current filter */
608 r = passes_filter(m, device);
609 if (r < 0)
610 return log_device_monitor_errno(device, m, r, "Failed to check received device passing filter: %m");
611 if (r == 0)
612 log_device_monitor(device, m, "Received device does not pass filter, ignoring.");
613 else
614 *ret = TAKE_PTR(device);
615
616 return r;
617 }
618
619 static uint32_t string_hash32(const char *str) {
620 return MurmurHash2(str, strlen(str), 0);
621 }
622
623 /* Get a bunch of bit numbers out of the hash, and set the bits in our bit field */
624 static uint64_t string_bloom64(const char *str) {
625 uint64_t bits = 0;
626 uint32_t hash = string_hash32(str);
627
628 bits |= UINT64_C(1) << (hash & 63);
629 bits |= UINT64_C(1) << ((hash >> 6) & 63);
630 bits |= UINT64_C(1) << ((hash >> 12) & 63);
631 bits |= UINT64_C(1) << ((hash >> 18) & 63);
632 return bits;
633 }
634
635 int device_monitor_send_device(
636 sd_device_monitor *m,
637 sd_device_monitor *destination,
638 sd_device *device) {
639
640 monitor_netlink_header nlh = {
641 .prefix = "libudev",
642 .magic = htobe32(UDEV_MONITOR_MAGIC),
643 .header_size = sizeof nlh,
644 };
645 struct iovec iov[2] = {
646 { .iov_base = &nlh, .iov_len = sizeof nlh },
647 };
648 struct msghdr smsg = {
649 .msg_iov = iov,
650 .msg_iovlen = 2,
651 };
652 /* default destination for sending */
653 union sockaddr_union default_destination = {
654 .nl.nl_family = AF_NETLINK,
655 .nl.nl_groups = MONITOR_GROUP_UDEV,
656 };
657 uint64_t tag_bloom_bits;
658 const char *buf, *val;
659 ssize_t count;
660 size_t blen;
661 int r;
662
663 assert(m);
664 assert(device);
665
666 r = device_get_properties_nulstr(device, &buf, &blen);
667 if (r < 0)
668 return log_device_monitor_errno(device, m, r, "Failed to get device properties: %m");
669 if (blen < 32)
670 return log_device_monitor_errno(device, m, SYNTHETIC_ERRNO(EINVAL),
671 "Length of device property nulstr is too small to contain valid device information.");
672
673 /* fill in versioned header */
674 r = sd_device_get_subsystem(device, &val);
675 if (r < 0)
676 return log_device_monitor_errno(device, m, r, "Failed to get device subsystem: %m");
677 nlh.filter_subsystem_hash = htobe32(string_hash32(val));
678
679 if (sd_device_get_devtype(device, &val) >= 0)
680 nlh.filter_devtype_hash = htobe32(string_hash32(val));
681
682 /* add tag bloom filter */
683 tag_bloom_bits = 0;
684 FOREACH_DEVICE_TAG(device, tag)
685 tag_bloom_bits |= string_bloom64(tag);
686
687 if (tag_bloom_bits > 0) {
688 nlh.filter_tag_bloom_hi = htobe32(tag_bloom_bits >> 32);
689 nlh.filter_tag_bloom_lo = htobe32(tag_bloom_bits & 0xffffffff);
690 }
691
692 /* add properties list */
693 nlh.properties_off = iov[0].iov_len;
694 nlh.properties_len = blen;
695 iov[1] = IOVEC_MAKE((char*) buf, blen);
696
697 /*
698 * Use custom address for target, or the default one.
699 *
700 * If we send to a multicast group, we will get
701 * ECONNREFUSED, which is expected.
702 */
703 smsg.msg_name = destination ? &destination->snl : &default_destination;
704 smsg.msg_namelen = sizeof(struct sockaddr_nl);
705 count = sendmsg(m->sock, &smsg, 0);
706 if (count < 0) {
707 if (!destination && errno == ECONNREFUSED) {
708 log_device_monitor(device, m, "Passed to netlink monitor.");
709 return 0;
710 } else
711 return log_device_monitor_errno(device, m, errno, "Failed to send device to netlink monitor: %m");
712 }
713
714 log_device_monitor(device, m, "Passed %zi byte to netlink monitor.", count);
715 return count;
716 }
717
718 static void bpf_stmt(struct sock_filter *ins, unsigned *i,
719 unsigned short code, unsigned data) {
720 ins[(*i)++] = (struct sock_filter) {
721 .code = code,
722 .k = data,
723 };
724 }
725
726 static void bpf_jmp(struct sock_filter *ins, unsigned *i,
727 unsigned short code, unsigned data,
728 unsigned short jt, unsigned short jf) {
729 ins[(*i)++] = (struct sock_filter) {
730 .code = code,
731 .jt = jt,
732 .jf = jf,
733 .k = data,
734 };
735 }
736
737 _public_ int sd_device_monitor_filter_update(sd_device_monitor *m) {
738 struct sock_filter ins[512] = {};
739 struct sock_fprog filter;
740 const char *subsystem, *devtype, *tag;
741 unsigned i = 0;
742
743 assert_return(m, -EINVAL);
744
745 if (m->filter_uptodate)
746 return 0;
747
748 if (m->snl.nl.nl_groups == MONITOR_GROUP_KERNEL ||
749 (hashmap_isempty(m->subsystem_filter) &&
750 set_isempty(m->tag_filter))) {
751 m->filter_uptodate = true;
752 return 0;
753 }
754
755 /* load magic in A */
756 bpf_stmt(ins, &i, BPF_LD|BPF_W|BPF_ABS, offsetof(monitor_netlink_header, magic));
757 /* jump if magic matches */
758 bpf_jmp(ins, &i, BPF_JMP|BPF_JEQ|BPF_K, UDEV_MONITOR_MAGIC, 1, 0);
759 /* wrong magic, pass packet */
760 bpf_stmt(ins, &i, BPF_RET|BPF_K, 0xffffffff);
761
762 if (!set_isempty(m->tag_filter)) {
763 int tag_matches = set_size(m->tag_filter);
764
765 /* add all tags matches */
766 SET_FOREACH(tag, m->tag_filter) {
767 uint64_t tag_bloom_bits = string_bloom64(tag);
768 uint32_t tag_bloom_hi = tag_bloom_bits >> 32;
769 uint32_t tag_bloom_lo = tag_bloom_bits & 0xffffffff;
770
771 /* load device bloom bits in A */
772 bpf_stmt(ins, &i, BPF_LD|BPF_W|BPF_ABS, offsetof(monitor_netlink_header, filter_tag_bloom_hi));
773 /* clear bits (tag bits & bloom bits) */
774 bpf_stmt(ins, &i, BPF_ALU|BPF_AND|BPF_K, tag_bloom_hi);
775 /* jump to next tag if it does not match */
776 bpf_jmp(ins, &i, BPF_JMP|BPF_JEQ|BPF_K, tag_bloom_hi, 0, 3);
777
778 /* load device bloom bits in A */
779 bpf_stmt(ins, &i, BPF_LD|BPF_W|BPF_ABS, offsetof(monitor_netlink_header, filter_tag_bloom_lo));
780 /* clear bits (tag bits & bloom bits) */
781 bpf_stmt(ins, &i, BPF_ALU|BPF_AND|BPF_K, tag_bloom_lo);
782 /* jump behind end of tag match block if tag matches */
783 tag_matches--;
784 bpf_jmp(ins, &i, BPF_JMP|BPF_JEQ|BPF_K, tag_bloom_lo, 1 + (tag_matches * 6), 0);
785 }
786
787 /* nothing matched, drop packet */
788 bpf_stmt(ins, &i, BPF_RET|BPF_K, 0);
789 }
790
791 /* add all subsystem matches */
792 if (!hashmap_isempty(m->subsystem_filter)) {
793 HASHMAP_FOREACH_KEY(devtype, subsystem, m->subsystem_filter) {
794 uint32_t hash = string_hash32(subsystem);
795
796 /* load device subsystem value in A */
797 bpf_stmt(ins, &i, BPF_LD|BPF_W|BPF_ABS, offsetof(monitor_netlink_header, filter_subsystem_hash));
798 if (!devtype) {
799 /* jump if subsystem does not match */
800 bpf_jmp(ins, &i, BPF_JMP|BPF_JEQ|BPF_K, hash, 0, 1);
801 } else {
802 /* jump if subsystem does not match */
803 bpf_jmp(ins, &i, BPF_JMP|BPF_JEQ|BPF_K, hash, 0, 3);
804 /* load device devtype value in A */
805 bpf_stmt(ins, &i, BPF_LD|BPF_W|BPF_ABS, offsetof(monitor_netlink_header, filter_devtype_hash));
806 /* jump if value does not match */
807 hash = string_hash32(devtype);
808 bpf_jmp(ins, &i, BPF_JMP|BPF_JEQ|BPF_K, hash, 0, 1);
809 }
810
811 /* matched, pass packet */
812 bpf_stmt(ins, &i, BPF_RET|BPF_K, 0xffffffff);
813
814 if (i+1 >= ELEMENTSOF(ins))
815 return -E2BIG;
816 }
817
818 /* nothing matched, drop packet */
819 bpf_stmt(ins, &i, BPF_RET|BPF_K, 0);
820 }
821
822 /* matched, pass packet */
823 bpf_stmt(ins, &i, BPF_RET|BPF_K, 0xffffffff);
824
825 /* install filter */
826 filter = (struct sock_fprog) {
827 .len = i,
828 .filter = ins,
829 };
830 if (setsockopt(m->sock, SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter)) < 0)
831 return -errno;
832
833 m->filter_uptodate = true;
834 return 0;
835 }
836
837 _public_ int sd_device_monitor_filter_add_match_subsystem_devtype(sd_device_monitor *m, const char *subsystem, const char *devtype) {
838 int r;
839
840 assert_return(m, -EINVAL);
841 assert_return(subsystem, -EINVAL);
842
843 /* Do not use string_has_ops_free_free or hashmap_put_strdup() here, as this may be called
844 * multiple times with the same subsystem but different devtypes. */
845 r = hashmap_put_strdup_full(&m->subsystem_filter, &trivial_hash_ops_free_free, subsystem, devtype);
846 if (r <= 0)
847 return r;
848
849 m->filter_uptodate = false;
850 return r;
851 }
852
853 _public_ int sd_device_monitor_filter_add_match_tag(sd_device_monitor *m, const char *tag) {
854 int r;
855
856 assert_return(m, -EINVAL);
857 assert_return(tag, -EINVAL);
858
859 r = set_put_strdup(&m->tag_filter, tag);
860 if (r <= 0)
861 return r;
862
863 m->filter_uptodate = false;
864 return r;
865 }
866
867 _public_ int sd_device_monitor_filter_add_match_sysattr(sd_device_monitor *m, const char *sysattr, const char *value, int match) {
868 Hashmap **hashmap;
869
870 assert_return(m, -EINVAL);
871 assert_return(sysattr, -EINVAL);
872
873 if (match)
874 hashmap = &m->match_sysattr_filter;
875 else
876 hashmap = &m->nomatch_sysattr_filter;
877
878 /* TODO: unset m->filter_uptodate on success when we support this filter on BPF. */
879 return update_match_strv(hashmap, sysattr, value, /* clear_on_null = */ true);
880 }
881
882 _public_ int sd_device_monitor_filter_add_match_parent(sd_device_monitor *m, sd_device *device, int match) {
883 const char *syspath;
884 Set **set;
885 int r;
886
887 assert_return(m, -EINVAL);
888 assert_return(device, -EINVAL);
889
890 r = sd_device_get_syspath(device, &syspath);
891 if (r < 0)
892 return r;
893
894 if (match)
895 set = &m->match_parent_filter;
896 else
897 set = &m->nomatch_parent_filter;
898
899 /* TODO: unset m->filter_uptodate on success when we support this filter on BPF. */
900 return set_put_strdup(set, syspath);
901 }
902
903 _public_ int sd_device_monitor_filter_remove(sd_device_monitor *m) {
904 static const struct sock_fprog filter = { 0, NULL };
905
906 assert_return(m, -EINVAL);
907
908 m->subsystem_filter = hashmap_free(m->subsystem_filter);
909 m->tag_filter = set_free(m->tag_filter);
910 m->match_sysattr_filter = hashmap_free(m->match_sysattr_filter);
911 m->nomatch_sysattr_filter = hashmap_free(m->nomatch_sysattr_filter);
912 m->match_parent_filter = set_free(m->match_parent_filter);
913 m->nomatch_parent_filter = set_free(m->nomatch_parent_filter);
914
915 if (setsockopt(m->sock, SOL_SOCKET, SO_DETACH_FILTER, &filter, sizeof(filter)) < 0)
916 return -errno;
917
918 m->filter_uptodate = true;
919 return 0;
920 }
Unnamed repository; edit this file 'description' to name the repository.