From 25b1a73f71d9a8103e812f802e9134b217b60dc7 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 17 Dec 2024 19:02:24 +0100
Subject: [PATCH] journald: get rid of get_process_capeff(), use
 pidref_get_capability() instead

This does pretty much the same, but is nicer, since it parses things
properly.
---
 src/basic/capability-util.h    |  2 +-
 src/basic/process-util.c       | 16 ----------------
 src/basic/process-util.h       |  1 -
 src/journal/journald-context.c |  7 ++++---
 src/journal/journald-context.h |  3 ++-
 src/journal/journald-server.c  |  4 ++--
 src/test/test-fileio.c         | 18 ------------------
 7 files changed, 9 insertions(+), 42 deletions(-)

diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h
index 0195518d84e..9caae1ac064 100644
--- a/src/basic/capability-util.h
+++ b/src/basic/capability-util.h
@@ -67,7 +67,7 @@ typedef struct CapabilityQuintet {
 
 assert_cc(CAP_LAST_CAP < 64);
 
-#define CAPABILITY_QUINTET_NULL { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET }
+#define CAPABILITY_QUINTET_NULL (CapabilityQuintet) { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET }
 
 static inline bool capability_is_set(uint64_t v) {
         return v != CAP_MASK_UNSET;
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index c74a7e7ea49..d02a122a354 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -500,22 +500,6 @@ int pidref_is_kernel_thread(const PidRef *pid) {
         return result;
 }
 
-int get_process_capeff(pid_t pid, char **ret) {
-        const char *p;
-        int r;
-
-        assert(pid >= 0);
-        assert(ret);
-
-        p = procfs_file_alloca(pid, "status");
-
-        r = get_proc_field(p, "CapEff", WHITESPACE, ret);
-        if (r == -ENOENT)
-                return -ESRCH;
-
-        return r;
-}
-
 static int get_process_link_contents(pid_t pid, const char *proc_file, char **ret) {
         const char *p;
         int r;
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index 0763b64cff0..f1088afc1db 100644
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -50,7 +50,6 @@ int get_process_exe(pid_t pid, char **ret);
 int pid_get_uid(pid_t pid, uid_t *ret);
 int pidref_get_uid(const PidRef *pid, uid_t *ret);
 int get_process_gid(pid_t pid, gid_t *ret);
-int get_process_capeff(pid_t pid, char **ret);
 int get_process_cwd(pid_t pid, char **ret);
 int get_process_root(pid_t pid, char **ret);
 int get_process_environ(pid_t pid, char **ret);
diff --git a/src/journal/journald-context.c b/src/journal/journald-context.c
index c48ad81f373..50dc8867e15 100644
--- a/src/journal/journald-context.c
+++ b/src/journal/journald-context.c
@@ -132,6 +132,7 @@ static int client_context_new(Server *s, pid_t pid, ClientContext **ret) {
                 .log_level_max = -1,
                 .log_ratelimit_interval = s->ratelimit_interval,
                 .log_ratelimit_burst = s->ratelimit_burst,
+                .capability_quintet = CAPABILITY_QUINTET_NULL,
         };
 
         r = hashmap_ensure_put(&s->client_contexts, NULL, PID_TO_PTR(pid), c);
@@ -154,7 +155,6 @@ static void client_context_reset(Server *s, ClientContext *c) {
         c->comm = mfree(c->comm);
         c->exe = mfree(c->exe);
         c->cmdline = mfree(c->cmdline);
-        c->capeff = mfree(c->capeff);
 
         c->auditid = AUDIT_SESSION_INVALID;
         c->loginuid = UID_INVALID;
@@ -184,6 +184,8 @@ static void client_context_reset(Server *s, ClientContext *c) {
 
         c->log_filter_allowed_patterns = set_free_free(c->log_filter_allowed_patterns);
         c->log_filter_denied_patterns = set_free_free(c->log_filter_denied_patterns);
+
+        c->capability_quintet = CAPABILITY_QUINTET_NULL;
 }
 
 static ClientContext* client_context_free(Server *s, ClientContext *c) {
@@ -233,8 +235,7 @@ static void client_context_read_basic(ClientContext *c) {
         if (pid_get_cmdline(c->pid, SIZE_MAX, PROCESS_CMDLINE_QUOTE, &t) >= 0)
                 free_and_replace(c->cmdline, t);
 
-        if (get_process_capeff(c->pid, &t) >= 0)
-                free_and_replace(c->capeff, t);
+        (void) pidref_get_capability(&PIDREF_MAKE_FROM_PID(c->pid), &c->capability_quintet);
 }
 
 static int client_context_read_label(
diff --git a/src/journal/journald-context.h b/src/journal/journald-context.h
index 6e0d9f6f75d..34637f85e45 100644
--- a/src/journal/journald-context.h
+++ b/src/journal/journald-context.h
@@ -7,6 +7,7 @@
 
 #include "sd-id128.h"
 
+#include "capability-util.h"
 #include "set.h"
 #include "time-util.h"
 
@@ -27,7 +28,7 @@ struct ClientContext {
         char *comm;
         char *exe;
         char *cmdline;
-        char *capeff;
+        CapabilityQuintet capability_quintet;
 
         uint32_t auditid;
         uid_t loginuid;
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index bebc1e584c5..8fcfa0c57bb 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1109,7 +1109,7 @@ static void server_dispatch_message_real(
                          * Let's use a heap allocation for this one. */
                         cmdline1 = set_iovec_string_field(iovec, &n, "_CMDLINE=", c->cmdline);
 
-                IOVEC_ADD_STRING_FIELD(iovec, n, c->capeff, "_CAP_EFFECTIVE"); /* Read from /proc/.../status */
+                IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->capability_quintet.effective, uint64_t, capability_is_set, "%" PRIx64, "_CAP_EFFECTIVE");
                 IOVEC_ADD_SIZED_FIELD(iovec, n, c->label, c->label_size, "_SELINUX_CONTEXT");
                 IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "_AUDIT_SESSION");
                 IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->loginuid, uid_t, uid_is_valid, UID_FMT, "_AUDIT_LOGINUID");
@@ -1144,7 +1144,7 @@ static void server_dispatch_message_real(
                 if (o->cmdline)
                         cmdline2 = set_iovec_string_field(iovec, &n, "OBJECT_CMDLINE=", o->cmdline);
 
-                IOVEC_ADD_STRING_FIELD(iovec, n, o->capeff, "OBJECT_CAP_EFFECTIVE");
+                IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->capability_quintet.effective, uint64_t, capability_is_set, "%" PRIx64, "OBJECT_CAP_EFFECTIVE");
                 IOVEC_ADD_SIZED_FIELD(iovec, n, o->label, o->label_size, "OBJECT_SELINUX_CONTEXT");
                 IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "OBJECT_AUDIT_SESSION");
                 IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->loginuid, uid_t, uid_is_valid, UID_FMT, "OBJECT_AUDIT_LOGINUID");
diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c
index 76f55983258..60b568b2d2f 100644
--- a/src/test/test-fileio.c
+++ b/src/test/test-fileio.c
@@ -363,24 +363,6 @@ TEST(status_field) {
         }
 }
 
-TEST(capeff) {
-        for (int pid = 0; pid < 2; pid++) {
-                _cleanup_free_ char *capeff = NULL;
-                int r, p;
-
-                r = get_process_capeff(0, &capeff);
-                log_info("capeff: '%s' (r=%d)", capeff, r);
-
-                if (IN_SET(r, -ENOENT, -EPERM))
-                        return;
-
-                assert_se(r == 0);
-                assert_se(*capeff);
-                p = capeff[strspn(capeff, HEXDIGITS)];
-                assert_se(!p || isspace(p));
-        }
-}
-
 TEST(read_one_line_file) {
         _cleanup_(unlink_tempfilep) char fn[] = "/tmp/test-fileio-1lf-XXXXXX";
         int fd;
-- 
2.47.3