From: Aaron Tomlin <atomlin@atomlin.com>
Date: Mon, 13 Jan 2025 18:18:05 +0000 (-0700)
Subject: api: Add extra debugging when matching rule to a group
X-Git-Tag: v3.2.0~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9155a813ff1837ec5287ca7fb26706479dbb8390;p=thirdparty%2Flibcgroup.git

api: Add extra debugging when matching rule to a group

In the context of a group rule (i.e. indicated by '@' used to prefix the
actual group name), getgrnam(3) is used to provide a pointer to a group
file entry that may contain a NULL-terminated array of pointers to group
members. A user can belong to multiple groups. With this information, we
then check the username that corresponds to the specified UID against
each group member for a match. This patch makes it possible to see this
information if debug level logging is enabled.

Use the new cgroup_get_loglevel() API to optimize the rule loop to
minimize performance impacts.

Signed-off-by: Aaron Tomlin <atomlin@atomlin.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Acked-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
---

diff --git a/src/api.c b/src/api.c
index 9adde2c6..6df516fa 100644
--- a/src/api.c
+++ b/src/api.c
@@ -4230,6 +4230,10 @@ static struct cgroup_rule *cgroup_find_matching_rule_uid_gid(uid_t uid, gid_t gi
 
 	/* Loop variable */
 	int i = 0;
+	int loglevel;
+	bool match_found = false;
+
+	loglevel = cgroup_get_loglevel();
 
 	while (rule) {
 		/* Skip "%" which indicates continuation of previous rule. */
@@ -4266,11 +4270,28 @@ static struct cgroup_rule *cgroup_find_matching_rule_uid_gid(uid_t uid, gid_t gi
 				continue;
 			}
 
+			cgroup_dbg("User name: %s UID: %d Group name: %s GID: %d\n",
+				   usr->pw_name, uid, grp->gr_name, grp->gr_gid);
+			if (grp->gr_mem[0])
+				cgroup_dbg("Group member(s):\n");
+
 			/* If UID is a member of group, we matched. */
 			for (i = 0; grp->gr_mem[i]; i++) {
 				if (!(strcmp(usr->pw_name, grp->gr_mem[i])))
-					return rule;
+					match_found = true;
+
+				if (match_found && loglevel < CGROUP_LOG_DEBUG)
+					/*
+					 * Only continue to run through the loop if debugging is
+					 * enabled so that we can see all of the group members
+					 */
+					break;
+
+				cgroup_dbg("\t%s\n", grp->gr_mem[i]);
 			}
+
+			if (match_found)
+				return rule;
 		}
 
 		/* If we haven't matched, try the next rule. */