assert_cc(CAP_LAST_CAP < 64);
-#define CAPABILITY_QUINTET_NULL { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET }
+#define CAPABILITY_QUINTET_NULL (CapabilityQuintet) { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET }
static inline bool capability_is_set(uint64_t v) {
return v != CAP_MASK_UNSET;
return result;
}
-int get_process_capeff(pid_t pid, char **ret) {
- const char *p;
- int r;
-
- assert(pid >= 0);
- assert(ret);
-
- p = procfs_file_alloca(pid, "status");
-
- r = get_proc_field(p, "CapEff", WHITESPACE, ret);
- if (r == -ENOENT)
- return -ESRCH;
-
- return r;
-}
-
static int get_process_link_contents(pid_t pid, const char *proc_file, char **ret) {
const char *p;
int r;
int pid_get_uid(pid_t pid, uid_t *ret);
int pidref_get_uid(const PidRef *pid, uid_t *ret);
int get_process_gid(pid_t pid, gid_t *ret);
-int get_process_capeff(pid_t pid, char **ret);
int get_process_cwd(pid_t pid, char **ret);
int get_process_root(pid_t pid, char **ret);
int get_process_environ(pid_t pid, char **ret);
.log_level_max = -1,
.log_ratelimit_interval = s->ratelimit_interval,
.log_ratelimit_burst = s->ratelimit_burst,
+ .capability_quintet = CAPABILITY_QUINTET_NULL,
};
r = hashmap_ensure_put(&s->client_contexts, NULL, PID_TO_PTR(pid), c);
c->comm = mfree(c->comm);
c->exe = mfree(c->exe);
c->cmdline = mfree(c->cmdline);
- c->capeff = mfree(c->capeff);
c->auditid = AUDIT_SESSION_INVALID;
c->loginuid = UID_INVALID;
c->log_filter_allowed_patterns = set_free_free(c->log_filter_allowed_patterns);
c->log_filter_denied_patterns = set_free_free(c->log_filter_denied_patterns);
+
+ c->capability_quintet = CAPABILITY_QUINTET_NULL;
}
static ClientContext* client_context_free(Server *s, ClientContext *c) {
if (pid_get_cmdline(c->pid, SIZE_MAX, PROCESS_CMDLINE_QUOTE, &t) >= 0)
free_and_replace(c->cmdline, t);
- if (get_process_capeff(c->pid, &t) >= 0)
- free_and_replace(c->capeff, t);
+ (void) pidref_get_capability(&PIDREF_MAKE_FROM_PID(c->pid), &c->capability_quintet);
}
static int client_context_read_label(
#include "sd-id128.h"
+#include "capability-util.h"
#include "set.h"
#include "time-util.h"
char *comm;
char *exe;
char *cmdline;
- char *capeff;
+ CapabilityQuintet capability_quintet;
uint32_t auditid;
uid_t loginuid;
* Let's use a heap allocation for this one. */
cmdline1 = set_iovec_string_field(iovec, &n, "_CMDLINE=", c->cmdline);
- IOVEC_ADD_STRING_FIELD(iovec, n, c->capeff, "_CAP_EFFECTIVE"); /* Read from /proc/.../status */
+ IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->capability_quintet.effective, uint64_t, capability_is_set, "%" PRIx64, "_CAP_EFFECTIVE");
IOVEC_ADD_SIZED_FIELD(iovec, n, c->label, c->label_size, "_SELINUX_CONTEXT");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "_AUDIT_SESSION");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->loginuid, uid_t, uid_is_valid, UID_FMT, "_AUDIT_LOGINUID");
if (o->cmdline)
cmdline2 = set_iovec_string_field(iovec, &n, "OBJECT_CMDLINE=", o->cmdline);
- IOVEC_ADD_STRING_FIELD(iovec, n, o->capeff, "OBJECT_CAP_EFFECTIVE");
+ IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->capability_quintet.effective, uint64_t, capability_is_set, "%" PRIx64, "OBJECT_CAP_EFFECTIVE");
IOVEC_ADD_SIZED_FIELD(iovec, n, o->label, o->label_size, "OBJECT_SELINUX_CONTEXT");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "OBJECT_AUDIT_SESSION");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->loginuid, uid_t, uid_is_valid, UID_FMT, "OBJECT_AUDIT_LOGINUID");
}
}
-TEST(capeff) {
- for (int pid = 0; pid < 2; pid++) {
- _cleanup_free_ char *capeff = NULL;
- int r, p;
-
- r = get_process_capeff(0, &capeff);
- log_info("capeff: '%s' (r=%d)", capeff, r);
-
- if (IN_SET(r, -ENOENT, -EPERM))
- return;
-
- assert_se(r == 0);
- assert_se(*capeff);
- p = capeff[strspn(capeff, HEXDIGITS)];
- assert_se(!p || isspace(p));
- }
-}
-
TEST(read_one_line_file) {
_cleanup_(unlink_tempfilep) char fn[] = "/tmp/test-fileio-1lf-XXXXXX";
int fd;
projects / thirdparty / systemd.git / commitdiff
