[thirdparty/systemd.git] / src / journal / journald-native.c

/***
  This file is part of systemd.

  Copyright 2011 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <stddef.h>
#include <sys/epoll.h>
#include <sys/mman.h>
#include <sys/statvfs.h>
#include <unistd.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "fs-util.h"
#include "io-util.h"
#include "journal-importer.h"
#include "journald-console.h"
#include "journald-kmsg.h"
#include "journald-native.h"
#include "journald-server.h"
#include "journald-syslog.h"
#include "journald-wall.h"
#include "memfd-util.h"
#include "parse-util.h"
#include "path-util.h"
#include "process-util.h"
#include "selinux-util.h"
#include "socket-util.h"
#include "string-util.h"
#include "unaligned.h"

bool valid_user_field(const char *p, size_t l, bool allow_protected) {
        const char *a;

        /* We kinda enforce POSIX syntax recommendations for
           environment variables here, but make a couple of additional
           requirements.

           http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html */

        /* No empty field names */
        if (l <= 0)
                return false;

        /* Don't allow names longer than 64 chars */
        if (l > 64)
                return false;

        /* Variables starting with an underscore are protected */
        if (!allow_protected && p[0] == '_')
                return false;

        /* Don't allow digits as first character */
        if (p[0] >= '0' && p[0] <= '9')
                return false;

        /* Only allow A-Z0-9 and '_' */
        for (a = p; a < p + l; a++)
                if ((*a < 'A' || *a > 'Z') &&
                    (*a < '0' || *a > '9') &&
                    *a != '_')
                        return false;

        return true;
}

static bool allow_object_pid(const struct ucred *ucred) {
        return ucred && ucred->uid == 0;
}

static void server_process_entry_meta(
                const char *p, size_t l,
                const struct ucred *ucred,
                int *priority,
                char **identifier,
                char **message,
                pid_t *object_pid) {

        /* We need to determine the priority of this entry for the rate limiting logic */

        if (l == 10 &&
            startswith(p, "PRIORITY=") &&
            p[9] >= '0' && p[9] <= '9')
                *priority = (*priority & LOG_FACMASK) | (p[9] - '0');

        else if (l == 17 &&
                 startswith(p, "SYSLOG_FACILITY=") &&
                 p[16] >= '0' && p[16] <= '9')
                *priority = (*priority & LOG_PRIMASK) | ((p[16] - '0') << 3);

        else if (l == 18 &&
                 startswith(p, "SYSLOG_FACILITY=") &&
                 p[16] >= '0' && p[16] <= '9' &&
                 p[17] >= '0' && p[17] <= '9')
                *priority = (*priority & LOG_PRIMASK) | (((p[16] - '0')*10 + (p[17] - '0')) << 3);

        else if (l >= 19 &&
                 startswith(p, "SYSLOG_IDENTIFIER=")) {
                char *t;

                t = strndup(p + 18, l - 18);
                if (t) {
                        free(*identifier);
                        *identifier = t;
                }

        } else if (l >= 8 &&
                   startswith(p, "MESSAGE=")) {
                char *t;

                t = strndup(p + 8, l - 8);
                if (t) {
                        free(*message);
                        *message = t;
                }

        } else if (l > strlen("OBJECT_PID=") &&
                   l < strlen("OBJECT_PID=")  + DECIMAL_STR_MAX(pid_t) &&
                   startswith(p, "OBJECT_PID=") &&
                   allow_object_pid(ucred)) {
                char buf[DECIMAL_STR_MAX(pid_t)];
                memcpy(buf, p + strlen("OBJECT_PID="), l - strlen("OBJECT_PID="));
                buf[l-strlen("OBJECT_PID=")] = '\0';

                (void) parse_pid(buf, object_pid);
        }
}

static int server_process_entry(
                Server *s,
                const void *buffer, size_t *remaining,
                ClientContext *context,
                const struct ucred *ucred,
                const struct timeval *tv,
                const char *label, size_t label_len) {

        /* Process a single entry from a native message.
         * Returns 0 if nothing special happened and the message processing should continue,
         * and a negative or positive value otherwise.
         *
         * Note that *remaining is altered on both success and failure. */

        struct iovec *iovec = NULL;
        unsigned n = 0, j, tn = (unsigned) -1;
        const char *p;
        size_t m = 0, entry_size = 0;
        int priority = LOG_INFO;
        char *identifier = NULL, *message = NULL;
        pid_t object_pid = 0;
        int r = 0;

        p = buffer;

        while (*remaining > 0) {
                const char *e, *q;

                e = memchr(p, '\n', *remaining);

                if (!e) {
                        /* Trailing noise, let's ignore it, and flush what we collected */
                        log_debug("Received message with trailing noise, ignoring.");
                        r = 1; /* finish processing of the message */
                        break;
                }

                if (e == p) {
                        /* Entry separator */
                        *remaining -= 1;
                        break;
                }

                if (*p == '.' || *p == '#') {
                        /* Ignore control commands for now, and
                         * comments too. */
                        *remaining -= (e - p) + 1;
                        p = e + 1;
                        continue;
                }

                /* A property follows */

                /* n existing properties, 1 new, +1 for _TRANSPORT */
                if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
                        r = log_oom();
                        break;
                }

                q = memchr(p, '=', e - p);
                if (q) {
                        if (valid_user_field(p, q - p, false)) {
                                size_t l;

                                l = e - p;

                                /* If the field name starts with an
                                 * underscore, skip the variable,
                                 * since that indicates a trusted
                                 * field */
                                iovec[n].iov_base = (char*) p;
                                iovec[n].iov_len = l;
                                entry_size += l;
                                n++;

                                server_process_entry_meta(p, l, ucred,
                                                          &priority,
                                                          &identifier,
                                                          &message,
                                                          &object_pid);
                        }

                        *remaining -= (e - p) + 1;
                        p = e + 1;
                        continue;
                } else {
                        uint64_t l;
                        char *k;

                        if (*remaining < e - p + 1 + sizeof(uint64_t) + 1) {
                                log_debug("Failed to parse message, ignoring.");
                                break;
                        }

                        l = unaligned_read_le64(e + 1);

                        if (l > DATA_SIZE_MAX) {
                                log_debug("Received binary data block of %"PRIu64" bytes is too large, ignoring.", l);
                                break;
                        }

                        if ((uint64_t) *remaining < e - p + 1 + sizeof(uint64_t) + l + 1 ||
                            e[1+sizeof(uint64_t)+l] != '\n') {
                                log_debug("Failed to parse message, ignoring.");
                                break;
                        }

                        k = malloc((e - p) + 1 + l);
                        if (!k) {
                                log_oom();
                                break;
                        }

                        memcpy(k, p, e - p);
                        k[e - p] = '=';
                        memcpy(k + (e - p) + 1, e + 1 + sizeof(uint64_t), l);

                        if (valid_user_field(p, e - p, false)) {
                                iovec[n].iov_base = k;
                                iovec[n].iov_len = (e - p) + 1 + l;
                                entry_size += iovec[n].iov_len;
                                n++;

                                server_process_entry_meta(k, (e - p) + 1 + l, ucred,
                                                          &priority,
                                                          &identifier,
                                                          &message,
                                                          &object_pid);
                        } else
                                free(k);

                        *remaining -= (e - p) + 1 + sizeof(uint64_t) + l + 1;
                        p = e + 1 + sizeof(uint64_t) + l + 1;
                }
        }

        if (n <= 0) {
                r = 1;
                goto finish;
        }

        tn = n++;
        iovec[tn] = IOVEC_MAKE_STRING("_TRANSPORT=journal");
        entry_size += strlen("_TRANSPORT=journal");

        if (entry_size + n + 1 > ENTRY_SIZE_MAX) { /* data + separators + trailer */
                log_debug("Entry is too big with %u properties and %zu bytes, ignoring.",
                          n, entry_size);
                goto finish;
        }

        if (message) {
                if (s->forward_to_syslog)
                        server_forward_syslog(s, syslog_fixup_facility(priority), identifier, message, ucred, tv);

                if (s->forward_to_kmsg)
                        server_forward_kmsg(s, priority, identifier, message, ucred);

                if (s->forward_to_console)
                        server_forward_console(s, priority, identifier, message, ucred);

                if (s->forward_to_wall)
                        server_forward_wall(s, priority, identifier, message, ucred);
        }

        server_dispatch_message(s, iovec, n, m, context, tv, priority, object_pid);

finish:
        for (j = 0; j < n; j++)  {
                if (j == tn)
                        continue;

                if (iovec[j].iov_base < buffer ||
                    (const char*) iovec[j].iov_base >= p + *remaining)
                        free(iovec[j].iov_base);
        }

        free(iovec);
        free(identifier);
        free(message);

        return r;
}

void server_process_native_message(
                Server *s,
                const void *buffer, size_t buffer_size,
                const struct ucred *ucred,
                const struct timeval *tv,
                const char *label, size_t label_len) {

        size_t remaining = buffer_size;
        ClientContext *context;
        int r;

        assert(s);
        assert(buffer || buffer_size == 0);

        if (ucred && pid_is_valid(ucred->pid)) {
                r = client_context_get(s, ucred->pid, ucred, label, label_len, NULL, &context);
                if (r < 0)
                        log_warning_errno(r, "Failed to retrieve credentials for PID " PID_FMT ", ignoring: %m", ucred->pid);
        }

        do {
                r = server_process_entry(s,
                                         (const uint8_t*) buffer + (buffer_size - remaining), &remaining,
                                         context, ucred, tv, label, label_len);
        } while (r == 0);
}

void server_process_native_file(
                Server *s,
                int fd,
                const struct ucred *ucred,
                const struct timeval *tv,
                const char *label, size_t label_len) {

        struct stat st;
        bool sealed;
        int r;

        /* Data is in the passed fd, since it didn't fit in a
         * datagram. */

        assert(s);
        assert(fd >= 0);

        /* If it's a memfd, check if it is sealed. If so, we can just
         * use map it and use it, and do not need to copy the data
         * out. */
        sealed = memfd_get_sealed(fd) > 0;

        if (!sealed && (!ucred || ucred->uid != 0)) {
                _cleanup_free_ char *sl = NULL, *k = NULL;
                const char *e;

                /* If this is not a sealed memfd, and the peer is unknown or
                 * unprivileged, then verify the path. */

                if (asprintf(&sl, "/proc/self/fd/%i", fd) < 0) {
                        log_oom();
                        return;
                }

                r = readlink_malloc(sl, &k);
                if (r < 0) {
                        log_error_errno(r, "readlink(%s) failed: %m", sl);
                        return;
                }

                e = path_startswith(k, "/dev/shm/");
                if (!e)
                        e = path_startswith(k, "/tmp/");
                if (!e)
                        e = path_startswith(k, "/var/tmp/");
                if (!e) {
                        log_error("Received file outside of allowed directories. Refusing.");
                        return;
                }

                if (!filename_is_valid(e)) {
                        log_error("Received file in subdirectory of allowed directories. Refusing.");
                        return;
                }
        }

        if (fstat(fd, &st) < 0) {
                log_error_errno(errno, "Failed to stat passed file, ignoring: %m");
                return;
        }

        if (!S_ISREG(st.st_mode)) {
                log_error("File passed is not regular. Ignoring.");
                return;
        }

        if (st.st_size <= 0)
                return;

        if (st.st_size > ENTRY_SIZE_MAX) {
                log_error("File passed too large. Ignoring.");
                return;
        }

        if (sealed) {
                void *p;
                size_t ps;

                /* The file is sealed, we can just map it and use it. */

                ps = PAGE_ALIGN(st.st_size);
                p = mmap(NULL, ps, PROT_READ, MAP_PRIVATE, fd, 0);
                if (p == MAP_FAILED) {
                        log_error_errno(errno, "Failed to map memfd, ignoring: %m");
                        return;
                }

                server_process_native_message(s, p, st.st_size, ucred, tv, label, label_len);
                assert_se(munmap(p, ps) >= 0);
        } else {
                _cleanup_free_ void *p = NULL;
                struct statvfs vfs;
                ssize_t n;

                if (fstatvfs(fd, &vfs) < 0) {
                        log_error_errno(errno, "Failed to stat file system of passed file, ignoring: %m");
                        return;
                }

                /* Refuse operating on file systems that have
                 * mandatory locking enabled, see:
                 *
                 * https://github.com/systemd/systemd/issues/1822
                 */
                if (vfs.f_flag & ST_MANDLOCK) {
                        log_error("Received file descriptor from file system with mandatory locking enable, refusing.");
                        return;
                }

                /* Make the fd non-blocking. On regular files this has
                 * the effect of bypassing mandatory locking. Of
                 * course, this should normally not be necessary given
                 * the check above, but let's better be safe than
                 * sorry, after all NFS is pretty confusing regarding
                 * file system flags, and we better don't trust it,
                 * and so is SMB. */
                r = fd_nonblock(fd, true);
                if (r < 0) {
                        log_error_errno(r, "Failed to make fd non-blocking, ignoring: %m");
                        return;
                }

                /* The file is not sealed, we can't map the file here, since
                 * clients might then truncate it and trigger a SIGBUS for
                 * us. So let's stupidly read it */

                p = malloc(st.st_size);
                if (!p) {
                        log_oom();
                        return;
                }

                n = pread(fd, p, st.st_size, 0);
                if (n < 0)
                        log_error_errno(errno, "Failed to read file, ignoring: %m");
                else if (n > 0)
                        server_process_native_message(s, p, n, ucred, tv, label, label_len);
        }
}

int server_open_native_socket(Server*s) {

        static const union sockaddr_union sa = {
                .un.sun_family = AF_UNIX,
                .un.sun_path = "/run/systemd/journal/socket",
        };
        static const int one = 1;
        int r;

        assert(s);

        if (s->native_fd < 0) {
                s->native_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
                if (s->native_fd < 0)
                        return log_error_errno(errno, "socket() failed: %m");

                (void) unlink(sa.un.sun_path);

                r = bind(s->native_fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
                if (r < 0)
                        return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);

                (void) chmod(sa.un.sun_path, 0666);
        } else
                fd_nonblock(s->native_fd, 1);

        r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
        if (r < 0)
                return log_error_errno(errno, "SO_PASSCRED failed: %m");

#if HAVE_SELINUX
        if (mac_selinux_use()) {
                r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
                if (r < 0)
                        log_warning_errno(errno, "SO_PASSSEC failed: %m");
        }
#endif

        r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
        if (r < 0)
                return log_error_errno(errno, "SO_TIMESTAMP failed: %m");

        r = sd_event_add_io(s->event, &s->native_event_source, s->native_fd, EPOLLIN, server_process_datagram, s);
        if (r < 0)
                return log_error_errno(r, "Failed to add native server fd to event loop: %m");

        r = sd_event_source_set_priority(s->native_event_source, SD_EVENT_PRIORITY_NORMAL+5);
        if (r < 0)
                return log_error_errno(r, "Failed to adjust native event source priority: %m");

        return 0;
}
Commit	Line	Data
0153028a LP	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2011 Lennart Poettering
	5
	6	systemd is free software; you can redistribute it and/or modify it
	7	under the terms of the GNU Lesser General Public License as published by
	8	the Free Software Foundation; either version 2.1 of the License, or
	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public License
	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
4871690d	20	#include <stddef.h>
0153028a	21	#include <sys/epoll.h>
c79e98ea	22	#include <sys/mman.h>
1e603a48	23	#include <sys/statvfs.h>
07630cea	24	#include <unistd.h>
0153028a	25
b5efdb8a	26	#include "alloc-util.h"
3ffd4af2	27	#include "fd-util.h"
f4f15635	28	#include "fs-util.h"
afc5dbf3	29	#include "io-util.h"
b18453ed	30	#include "journal-importer.h"
0153028a	31	#include "journald-console.h"
07630cea	32	#include "journald-kmsg.h"
3ffd4af2	33	#include "journald-native.h"
07630cea	34	#include "journald-server.h"
0153028a	35	#include "journald-syslog.h"
40b71e89	36	#include "journald-wall.h"
a09abc4a	37	#include "memfd-util.h"
6bedfcbb	38	#include "parse-util.h"
07630cea	39	#include "path-util.h"
22e3a02b	40	#include "process-util.h"
07630cea LP	41	#include "selinux-util.h"
	42	#include "socket-util.h"
	43	#include "string-util.h"
731e10f3	44	#include "unaligned.h"
0153028a	45
d18d46ec	46	bool valid_user_field(const char *p, size_t l, bool allow_protected) {
0153028a LP	47	const char *a;
	48
	49	/* We kinda enforce POSIX syntax recommendations for
	50	environment variables here, but make a couple of additional
	51	requirements.
	52
	53	http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html */
	54
	55	/* No empty field names */
	56	if (l <= 0)
	57	return false;
	58
	59	/* Don't allow names longer than 64 chars */
	60	if (l > 64)
	61	return false;
	62
	63	/* Variables starting with an underscore are protected */
d18d46ec	64	if (!allow_protected && p[0] == '_')
0153028a LP	65	return false;
	66
	67	/* Don't allow digits as first character */
	68	if (p[0] >= '0' && p[0] <= '9')
	69	return false;
	70
	71	/* Only allow A-Z0-9 and '_' */
	72	for (a = p; a < p + l; a++)
d18d46ec ZJS	73	if ((a < 'A' \|\| a > 'Z') &&
	74	(a < '0' \|\| a > '9') &&
	75	*a != '_')
0153028a LP	76	return false;
	77
	78	return true;
	79	}
	80
3b3154df	81	static bool allow_object_pid(const struct ucred *ucred) {
968f3196 ZJS	82	return ucred && ucred->uid == 0;
	83	}
	84
4b29a7f4 ZJS	85	static void server_process_entry_meta(
	86	const char *p, size_t l,
	87	const struct ucred *ucred,
	88	int *priority,
	89	char **identifier,
	90	char **message,
	91	pid_t *object_pid) {
	92
	93	/* We need to determine the priority of this entry for the rate limiting logic */
	94
	95	if (l == 10 &&
	96	startswith(p, "PRIORITY=") &&
	97	p[9] >= '0' && p[9] <= '9')
	98	priority = (priority & LOG_FACMASK) \| (p[9] - '0');
	99
	100	else if (l == 17 &&
	101	startswith(p, "SYSLOG_FACILITY=") &&
	102	p[16] >= '0' && p[16] <= '9')
	103	priority = (priority & LOG_PRIMASK) \| ((p[16] - '0') << 3);
	104
	105	else if (l == 18 &&
	106	startswith(p, "SYSLOG_FACILITY=") &&
	107	p[16] >= '0' && p[16] <= '9' &&
	108	p[17] >= '0' && p[17] <= '9')
	109	priority = (priority & LOG_PRIMASK) \| (((p[16] - '0')*10 + (p[17] - '0')) << 3);
	110
	111	else if (l >= 19 &&
	112	startswith(p, "SYSLOG_IDENTIFIER=")) {
	113	char *t;
	114
	115	t = strndup(p + 18, l - 18);
	116	if (t) {
	117	free(*identifier);
	118	*identifier = t;
	119	}
	120
	121	} else if (l >= 8 &&
	122	startswith(p, "MESSAGE=")) {
	123	char *t;
	124
	125	t = strndup(p + 8, l - 8);
	126	if (t) {
	127	free(*message);
	128	*message = t;
	129	}
	130
	131	} else if (l > strlen("OBJECT_PID=") &&
	132	l < strlen("OBJECT_PID=") + DECIMAL_STR_MAX(pid_t) &&
	133	startswith(p, "OBJECT_PID=") &&
	134	allow_object_pid(ucred)) {
	135	char buf[DECIMAL_STR_MAX(pid_t)];
	136	memcpy(buf, p + strlen("OBJECT_PID="), l - strlen("OBJECT_PID="));
	137	buf[l-strlen("OBJECT_PID=")] = '\0';
	138
	139	(void) parse_pid(buf, object_pid);
	140	}
	141	}
	142
68944f19	143	static int server_process_entry(
0153028a	144	Server *s,
68944f19	145	const void buffer, size_t remaining,
22e3a02b	146	ClientContext *context,
3b3154df LP	147	const struct ucred *ucred,
3b3154df LP	148	const struct timeval *tv,
0153028a LP	149	const char *label, size_t label_len) {
0153028a LP	150
68944f19 ZJS	151	/* Process a single entry from a native message.
	152	* Returns 0 if nothing special happened and the message processing should continue,
	153	* and a negative or positive value otherwise.
	154	*
	155	* Note that remaining is altered on both success and failure. /
	156
0153028a	157	struct iovec *iovec = NULL;
968f3196	158	unsigned n = 0, j, tn = (unsigned) -1;
0153028a	159	const char *p;
68944f19	160	size_t m = 0, entry_size = 0;
0153028a LP	161	int priority = LOG_INFO;
0153028a LP	162	char identifier = NULL, message = NULL;
968f3196	163	pid_t object_pid = 0;
68944f19	164	int r = 0;
0153028a LP	165
0153028a LP	166	p = buffer;
0153028a	167
68944f19	168	while (*remaining > 0) {
0153028a LP	169	const char e, q;
0153028a LP	170
68944f19	171	e = memchr(p, '\n', *remaining);
0153028a LP	172
	173	if (!e) {
	174	/* Trailing noise, let's ignore it, and flush what we collected */
	175	log_debug("Received message with trailing noise, ignoring.");
68944f19	176	r = 1; /* finish processing of the message */
0153028a LP	177	break;
	178	}
	179
	180	if (e == p) {
	181	/* Entry separator */
68944f19 ZJS	182	*remaining -= 1;
68944f19 ZJS	183	break;
0153028a LP	184	}
	185
	186	if (p == '.' \|\| p == '#') {
	187	/* Ignore control commands for now, and
	188	* comments too. */
68944f19	189	*remaining -= (e - p) + 1;
0153028a LP	190	p = e + 1;
	191	continue;
	192	}
	193
	194	/* A property follows */
	195
12a717f8	196	/* n existing properties, 1 new, +1 for _TRANSPORT */
92ee6447	197	if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
68944f19	198	r = log_oom();
968f3196	199	break;
0153028a LP	200	}
	201
	202	q = memchr(p, '=', e - p);
	203	if (q) {
d18d46ec	204	if (valid_user_field(p, q - p, false)) {
0153028a LP	205	size_t l;
	206
	207	l = e - p;
	208
	209	/* If the field name starts with an
	210	* underscore, skip the variable,
4b29a7f4	211	* since that indicates a trusted
0153028a LP	212	* field */
	213	iovec[n].iov_base = (char*) p;
	214	iovec[n].iov_len = l;
68944f19	215	entry_size += l;
a174f94d	216	n++;
0153028a	217
4b29a7f4 ZJS	218	server_process_entry_meta(p, l, ucred,
	219	&priority,
	220	&identifier,
	221	&message,
	222	&object_pid);
0153028a LP	223	}
0153028a LP	224
68944f19	225	*remaining -= (e - p) + 1;
0153028a LP	226	p = e + 1;
	227	continue;
	228	} else {
0153028a LP	229	uint64_t l;
	230	char *k;
	231
68944f19	232	if (*remaining < e - p + 1 + sizeof(uint64_t) + 1) {
0153028a LP	233	log_debug("Failed to parse message, ignoring.");
	234	break;
	235	}
	236
731e10f3	237	l = unaligned_read_le64(e + 1);
0153028a	238
505b6a61	239	if (l > DATA_SIZE_MAX) {
fa1c4b51	240	log_debug("Received binary data block of %"PRIu64" bytes is too large, ignoring.", l);
505b6a61 LP	241	break;
	242	}
	243
68944f19	244	if ((uint64_t) *remaining < e - p + 1 + sizeof(uint64_t) + l + 1 \|\|
0153028a LP	245	e[1+sizeof(uint64_t)+l] != '\n') {
	246	log_debug("Failed to parse message, ignoring.");
	247	break;
	248	}
	249
	250	k = malloc((e - p) + 1 + l);
	251	if (!k) {
	252	log_oom();
	253	break;
	254	}
	255
	256	memcpy(k, p, e - p);
	257	k[e - p] = '=';
	258	memcpy(k + (e - p) + 1, e + 1 + sizeof(uint64_t), l);
	259
d18d46ec	260	if (valid_user_field(p, e - p, false)) {
0153028a LP	261	iovec[n].iov_base = k;
0153028a LP	262	iovec[n].iov_len = (e - p) + 1 + l;
874bc134	263	entry_size += iovec[n].iov_len;
a174f94d	264	n++;
4b29a7f4 ZJS	265
	266	server_process_entry_meta(k, (e - p) + 1 + l, ucred,
	267	&priority,
	268	&identifier,
	269	&message,
	270	&object_pid);
0153028a LP	271	} else
	272	free(k);
	273
68944f19	274	*remaining -= (e - p) + 1 + sizeof(uint64_t) + l + 1;
0153028a LP	275	p = e + 1 + sizeof(uint64_t) + l + 1;
	276	}
	277	}
	278
68944f19 ZJS	279	if (n <= 0) {
68944f19 ZJS	280	r = 1;
0153028a	281	goto finish;
68944f19	282	}
0153028a LP	283
0153028a LP	284	tn = n++;
e6a7ec4b	285	iovec[tn] = IOVEC_MAKE_STRING("_TRANSPORT=journal");
874bc134 ZJS	286	entry_size += strlen("_TRANSPORT=journal");
	287
	288	if (entry_size + n + 1 > ENTRY_SIZE_MAX) { /* data + separators + trailer */
	289	log_debug("Entry is too big with %u properties and %zu bytes, ignoring.",
	290	n, entry_size);
	291	goto finish;
	292	}
0153028a LP	293
	294	if (message) {
	295	if (s->forward_to_syslog)
b6a20306	296	server_forward_syslog(s, syslog_fixup_facility(priority), identifier, message, ucred, tv);
0153028a LP	297
	298	if (s->forward_to_kmsg)
	299	server_forward_kmsg(s, priority, identifier, message, ucred);
	300
	301	if (s->forward_to_console)
	302	server_forward_console(s, priority, identifier, message, ucred);
40b71e89 ST	303
	304	if (s->forward_to_wall)
	305	server_forward_wall(s, priority, identifier, message, ucred);
0153028a LP	306	}
0153028a LP	307
22e3a02b	308	server_dispatch_message(s, iovec, n, m, context, tv, priority, object_pid);
0153028a LP	309
	310	finish:
	311	for (j = 0; j < n; j++) {
	312	if (j == tn)
	313	continue;
	314
	315	if (iovec[j].iov_base < buffer \|\|
68944f19	316	(const char) iovec[j].iov_base >= p + remaining)
0153028a LP	317	free(iovec[j].iov_base);
	318	}
	319
	320	free(iovec);
	321	free(identifier);
	322	free(message);
68944f19 ZJS	323
	324	return r;
	325	}
	326
	327	void server_process_native_message(
	328	Server *s,
	329	const void *buffer, size_t buffer_size,
	330	const struct ucred *ucred,
	331	const struct timeval *tv,
	332	const char *label, size_t label_len) {
	333
68944f19	334	size_t remaining = buffer_size;
22e3a02b LP	335	ClientContext *context;
22e3a02b LP	336	int r;
68944f19 ZJS	337
	338	assert(s);
	339	assert(buffer \|\| buffer_size == 0);
	340
22e3a02b LP	341	if (ucred && pid_is_valid(ucred->pid)) {
	342	r = client_context_get(s, ucred->pid, ucred, label, label_len, NULL, &context);
	343	if (r < 0)
	344	log_warning_errno(r, "Failed to retrieve credentials for PID " PID_FMT ", ignoring: %m", ucred->pid);
	345	}
	346
68944f19 ZJS	347	do {
	348	r = server_process_entry(s,
	349	(const uint8_t*) buffer + (buffer_size - remaining), &remaining,
22e3a02b	350	context, ucred, tv, label, label_len);
68944f19	351	} while (r == 0);
0153028a LP	352	}
	353
	354	void server_process_native_file(
	355	Server *s,
	356	int fd,
3b3154df LP	357	const struct ucred *ucred,
3b3154df LP	358	const struct timeval *tv,
0153028a LP	359	const char *label, size_t label_len) {
	360
	361	struct stat st;
c79e98ea	362	bool sealed;
1dfa7e79	363	int r;
0153028a	364
c79e98ea LP	365	/* Data is in the passed fd, since it didn't fit in a
	366	* datagram. */
	367
0153028a LP	368	assert(s);
	369	assert(fd >= 0);
	370
c79e98ea LP	371	/* If it's a memfd, check if it is sealed. If so, we can just
	372	* use map it and use it, and do not need to copy the data
	373	* out. */
73843b52	374	sealed = memfd_get_sealed(fd) > 0;
c79e98ea LP	375
c79e98ea LP	376	if (!sealed && (!ucred \|\| ucred->uid != 0)) {
1dfa7e79 LP	377	_cleanup_free_ char sl = NULL, k = NULL;
	378	const char *e;
	379
c79e98ea LP	380	/* If this is not a sealed memfd, and the peer is unknown or
	381	* unprivileged, then verify the path. */
	382
1dfa7e79 LP	383	if (asprintf(&sl, "/proc/self/fd/%i", fd) < 0) {
	384	log_oom();
	385	return;
	386	}
	387
	388	r = readlink_malloc(sl, &k);
	389	if (r < 0) {
709f6e46	390	log_error_errno(r, "readlink(%s) failed: %m", sl);
1dfa7e79 LP	391	return;
	392	}
	393
	394	e = path_startswith(k, "/dev/shm/");
	395	if (!e)
	396	e = path_startswith(k, "/tmp/");
	397	if (!e)
	398	e = path_startswith(k, "/var/tmp/");
	399	if (!e) {
	400	log_error("Received file outside of allowed directories. Refusing.");
	401	return;
	402	}
	403
ae6c3cc0	404	if (!filename_is_valid(e)) {
1dfa7e79 LP	405	log_error("Received file in subdirectory of allowed directories. Refusing.");
	406	return;
	407	}
	408	}
	409
0153028a	410	if (fstat(fd, &st) < 0) {
56f64d95	411	log_error_errno(errno, "Failed to stat passed file, ignoring: %m");
0153028a LP	412	return;
	413	}
	414
	415	if (!S_ISREG(st.st_mode)) {
	416	log_error("File passed is not regular. Ignoring.");
	417	return;
	418	}
	419
	420	if (st.st_size <= 0)
	421	return;
	422
	423	if (st.st_size > ENTRY_SIZE_MAX) {
	424	log_error("File passed too large. Ignoring.");
	425	return;
	426	}
	427
c79e98ea LP	428	if (sealed) {
	429	void *p;
	430	size_t ps;
	431
	432	/* The file is sealed, we can just map it and use it. */
0153028a	433
c79e98ea LP	434	ps = PAGE_ALIGN(st.st_size);
	435	p = mmap(NULL, ps, PROT_READ, MAP_PRIVATE, fd, 0);
	436	if (p == MAP_FAILED) {
56f64d95	437	log_error_errno(errno, "Failed to map memfd, ignoring: %m");
c79e98ea LP	438	return;
	439	}
	440
	441	server_process_native_message(s, p, st.st_size, ucred, tv, label, label_len);
	442	assert_se(munmap(p, ps) >= 0);
	443	} else {
	444	_cleanup_free_ void *p = NULL;
1e603a48	445	struct statvfs vfs;
c79e98ea LP	446	ssize_t n;
c79e98ea LP	447
1e603a48 LP	448	if (fstatvfs(fd, &vfs) < 0) {
	449	log_error_errno(errno, "Failed to stat file system of passed file, ignoring: %m");
	450	return;
	451	}
	452
	453	/* Refuse operating on file systems that have
	454	* mandatory locking enabled, see:
	455	*
	456	* https://github.com/systemd/systemd/issues/1822
	457	*/
	458	if (vfs.f_flag & ST_MANDLOCK) {
	459	log_error("Received file descriptor from file system with mandatory locking enable, refusing.");
	460	return;
	461	}
	462
	463	/* Make the fd non-blocking. On regular files this has
	464	* the effect of bypassing mandatory locking. Of
	465	* course, this should normally not be necessary given
	466	* the check above, but let's better be safe than
	467	* sorry, after all NFS is pretty confusing regarding
	468	* file system flags, and we better don't trust it,
	469	* and so is SMB. */
	470	r = fd_nonblock(fd, true);
	471	if (r < 0) {
	472	log_error_errno(r, "Failed to make fd non-blocking, ignoring: %m");
	473	return;
	474	}
	475
c79e98ea LP	476	/* The file is not sealed, we can't map the file here, since
	477	* clients might then truncate it and trigger a SIGBUS for
	478	* us. So let's stupidly read it */
	479
	480	p = malloc(st.st_size);
	481	if (!p) {
	482	log_oom();
	483	return;
	484	}
	485
	486	n = pread(fd, p, st.st_size, 0);
	487	if (n < 0)
c3753458	488	log_error_errno(errno, "Failed to read file, ignoring: %m");
c79e98ea LP	489	else if (n > 0)
	490	server_process_native_message(s, p, n, ucred, tv, label, label_len);
	491	}
0153028a LP	492	}
	493
	494	int server_open_native_socket(Server*s) {
fc2fffe7 LP	495
	496	static const union sockaddr_union sa = {
	497	.un.sun_family = AF_UNIX,
	498	.un.sun_path = "/run/systemd/journal/socket",
	499	};
3b3154df LP	500	static const int one = 1;
3b3154df LP	501	int r;
0153028a LP	502
	503	assert(s);
	504
	505	if (s->native_fd < 0) {
0153028a	506	s->native_fd = socket(AF_UNIX, SOCK_DGRAM\|SOCK_CLOEXEC\|SOCK_NONBLOCK, 0);
4a62c710 MS	507	if (s->native_fd < 0)
4a62c710 MS	508	return log_error_errno(errno, "socket() failed: %m");
0153028a	509
fc2fffe7	510	(void) unlink(sa.un.sun_path);
0153028a	511
fc2fffe7	512	r = bind(s->native_fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
4a62c710 MS	513	if (r < 0)
4a62c710 MS	514	return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);
0153028a	515
4a61c3e5	516	(void) chmod(sa.un.sun_path, 0666);
0153028a LP	517	} else
	518	fd_nonblock(s->native_fd, 1);
	519
0153028a	520	r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
4a62c710 MS	521	if (r < 0)
4a62c710 MS	522	return log_error_errno(errno, "SO_PASSCRED failed: %m");
0153028a	523
349cc4a5	524	#if HAVE_SELINUX
6d395665	525	if (mac_selinux_use()) {
d682b3a7 LP	526	r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
d682b3a7 LP	527	if (r < 0)
56f64d95	528	log_warning_errno(errno, "SO_PASSSEC failed: %m");
d682b3a7	529	}
0153028a LP	530	#endif
0153028a LP	531
0153028a	532	r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
4a62c710 MS	533	if (r < 0)
4a62c710 MS	534	return log_error_errno(errno, "SO_TIMESTAMP failed: %m");
0153028a	535
8531ae70	536	r = sd_event_add_io(s->event, &s->native_event_source, s->native_fd, EPOLLIN, server_process_datagram, s);
23bbb0de MS	537	if (r < 0)
23bbb0de MS	538	return log_error_errno(r, "Failed to add native server fd to event loop: %m");
0153028a	539
48cef295 VC	540	r = sd_event_source_set_priority(s->native_event_source, SD_EVENT_PRIORITY_NORMAL+5);
	541	if (r < 0)
	542	return log_error_errno(r, "Failed to adjust native event source priority: %m");
	543
0153028a LP	544	return 0;
0153028a LP	545	}