]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/journal/journald-native.c
554f91460d45f0597cb4bfb3682cd5ede236e343
2 This file is part of systemd.
4 Copyright 2011 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <sys/epoll.h>
23 #include <sys/statvfs.h>
26 #include "alloc-util.h"
30 #include "journal-importer.h"
31 #include "journald-console.h"
32 #include "journald-kmsg.h"
33 #include "journald-native.h"
34 #include "journald-server.h"
35 #include "journald-syslog.h"
36 #include "journald-wall.h"
37 #include "memfd-util.h"
38 #include "parse-util.h"
39 #include "path-util.h"
40 #include "process-util.h"
41 #include "selinux-util.h"
42 #include "socket-util.h"
43 #include "string-util.h"
44 #include "unaligned.h"
46 bool valid_user_field(const char *p
, size_t l
, bool allow_protected
) {
49 /* We kinda enforce POSIX syntax recommendations for
50 environment variables here, but make a couple of additional
53 http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html */
55 /* No empty field names */
59 /* Don't allow names longer than 64 chars */
63 /* Variables starting with an underscore are protected */
64 if (!allow_protected
&& p
[0] == '_')
67 /* Don't allow digits as first character */
68 if (p
[0] >= '0' && p
[0] <= '9')
71 /* Only allow A-Z0-9 and '_' */
72 for (a
= p
; a
< p
+ l
; a
++)
73 if ((*a
< 'A' || *a
> 'Z') &&
74 (*a
< '0' || *a
> '9') &&
81 static bool allow_object_pid(const struct ucred
*ucred
) {
82 return ucred
&& ucred
->uid
== 0;
85 static void server_process_entry_meta(
86 const char *p
, size_t l
,
87 const struct ucred
*ucred
,
93 /* We need to determine the priority of this entry for the rate limiting logic */
96 startswith(p
, "PRIORITY=") &&
97 p
[9] >= '0' && p
[9] <= '9')
98 *priority
= (*priority
& LOG_FACMASK
) | (p
[9] - '0');
101 startswith(p
, "SYSLOG_FACILITY=") &&
102 p
[16] >= '0' && p
[16] <= '9')
103 *priority
= (*priority
& LOG_PRIMASK
) | ((p
[16] - '0') << 3);
106 startswith(p
, "SYSLOG_FACILITY=") &&
107 p
[16] >= '0' && p
[16] <= '9' &&
108 p
[17] >= '0' && p
[17] <= '9')
109 *priority
= (*priority
& LOG_PRIMASK
) | (((p
[16] - '0')*10 + (p
[17] - '0')) << 3);
112 startswith(p
, "SYSLOG_IDENTIFIER=")) {
115 t
= strndup(p
+ 18, l
- 18);
122 startswith(p
, "MESSAGE=")) {
125 t
= strndup(p
+ 8, l
- 8);
131 } else if (l
> strlen("OBJECT_PID=") &&
132 l
< strlen("OBJECT_PID=") + DECIMAL_STR_MAX(pid_t
) &&
133 startswith(p
, "OBJECT_PID=") &&
134 allow_object_pid(ucred
)) {
135 char buf
[DECIMAL_STR_MAX(pid_t
)];
136 memcpy(buf
, p
+ strlen("OBJECT_PID="), l
- strlen("OBJECT_PID="));
137 buf
[l
-strlen("OBJECT_PID=")] = '\0';
139 (void) parse_pid(buf
, object_pid
);
143 static int server_process_entry(
145 const void *buffer
, size_t *remaining
,
146 ClientContext
*context
,
147 const struct ucred
*ucred
,
148 const struct timeval
*tv
,
149 const char *label
, size_t label_len
) {
151 /* Process a single entry from a native message.
152 * Returns 0 if nothing special happened and the message processing should continue,
153 * and a negative or positive value otherwise.
155 * Note that *remaining is altered on both success and failure. */
157 struct iovec
*iovec
= NULL
;
158 unsigned n
= 0, j
, tn
= (unsigned) -1;
160 size_t m
= 0, entry_size
= 0;
161 int priority
= LOG_INFO
;
162 char *identifier
= NULL
, *message
= NULL
;
163 pid_t object_pid
= 0;
168 while (*remaining
> 0) {
171 e
= memchr(p
, '\n', *remaining
);
174 /* Trailing noise, let's ignore it, and flush what we collected */
175 log_debug("Received message with trailing noise, ignoring.");
176 r
= 1; /* finish processing of the message */
181 /* Entry separator */
186 if (*p
== '.' || *p
== '#') {
187 /* Ignore control commands for now, and
189 *remaining
-= (e
- p
) + 1;
194 /* A property follows */
196 /* n existing properties, 1 new, +1 for _TRANSPORT */
197 if (!GREEDY_REALLOC(iovec
, m
, n
+ 2 + N_IOVEC_META_FIELDS
+ N_IOVEC_OBJECT_FIELDS
)) {
202 q
= memchr(p
, '=', e
- p
);
204 if (valid_user_field(p
, q
- p
, false)) {
209 /* If the field name starts with an
210 * underscore, skip the variable,
211 * since that indicates a trusted
213 iovec
[n
].iov_base
= (char*) p
;
214 iovec
[n
].iov_len
= l
;
218 server_process_entry_meta(p
, l
, ucred
,
225 *remaining
-= (e
- p
) + 1;
232 if (*remaining
< e
- p
+ 1 + sizeof(uint64_t) + 1) {
233 log_debug("Failed to parse message, ignoring.");
237 l
= unaligned_read_le64(e
+ 1);
239 if (l
> DATA_SIZE_MAX
) {
240 log_debug("Received binary data block of %"PRIu64
" bytes is too large, ignoring.", l
);
244 if ((uint64_t) *remaining
< e
- p
+ 1 + sizeof(uint64_t) + l
+ 1 ||
245 e
[1+sizeof(uint64_t)+l
] != '\n') {
246 log_debug("Failed to parse message, ignoring.");
250 k
= malloc((e
- p
) + 1 + l
);
258 memcpy(k
+ (e
- p
) + 1, e
+ 1 + sizeof(uint64_t), l
);
260 if (valid_user_field(p
, e
- p
, false)) {
261 iovec
[n
].iov_base
= k
;
262 iovec
[n
].iov_len
= (e
- p
) + 1 + l
;
263 entry_size
+= iovec
[n
].iov_len
;
266 server_process_entry_meta(k
, (e
- p
) + 1 + l
, ucred
,
274 *remaining
-= (e
- p
) + 1 + sizeof(uint64_t) + l
+ 1;
275 p
= e
+ 1 + sizeof(uint64_t) + l
+ 1;
285 iovec
[tn
] = IOVEC_MAKE_STRING("_TRANSPORT=journal");
286 entry_size
+= strlen("_TRANSPORT=journal");
288 if (entry_size
+ n
+ 1 > ENTRY_SIZE_MAX
) { /* data + separators + trailer */
289 log_debug("Entry is too big with %u properties and %zu bytes, ignoring.",
295 if (s
->forward_to_syslog
)
296 server_forward_syslog(s
, syslog_fixup_facility(priority
), identifier
, message
, ucred
, tv
);
298 if (s
->forward_to_kmsg
)
299 server_forward_kmsg(s
, priority
, identifier
, message
, ucred
);
301 if (s
->forward_to_console
)
302 server_forward_console(s
, priority
, identifier
, message
, ucred
);
304 if (s
->forward_to_wall
)
305 server_forward_wall(s
, priority
, identifier
, message
, ucred
);
308 server_dispatch_message(s
, iovec
, n
, m
, context
, tv
, priority
, object_pid
);
311 for (j
= 0; j
< n
; j
++) {
315 if (iovec
[j
].iov_base
< buffer
||
316 (const char*) iovec
[j
].iov_base
>= p
+ *remaining
)
317 free(iovec
[j
].iov_base
);
327 void server_process_native_message(
329 const void *buffer
, size_t buffer_size
,
330 const struct ucred
*ucred
,
331 const struct timeval
*tv
,
332 const char *label
, size_t label_len
) {
334 size_t remaining
= buffer_size
;
335 ClientContext
*context
;
339 assert(buffer
|| buffer_size
== 0);
341 if (ucred
&& pid_is_valid(ucred
->pid
)) {
342 r
= client_context_get(s
, ucred
->pid
, ucred
, label
, label_len
, NULL
, &context
);
344 log_warning_errno(r
, "Failed to retrieve credentials for PID " PID_FMT
", ignoring: %m", ucred
->pid
);
348 r
= server_process_entry(s
,
349 (const uint8_t*) buffer
+ (buffer_size
- remaining
), &remaining
,
350 context
, ucred
, tv
, label
, label_len
);
354 void server_process_native_file(
357 const struct ucred
*ucred
,
358 const struct timeval
*tv
,
359 const char *label
, size_t label_len
) {
365 /* Data is in the passed fd, since it didn't fit in a
371 /* If it's a memfd, check if it is sealed. If so, we can just
372 * use map it and use it, and do not need to copy the data
374 sealed
= memfd_get_sealed(fd
) > 0;
376 if (!sealed
&& (!ucred
|| ucred
->uid
!= 0)) {
377 _cleanup_free_
char *sl
= NULL
, *k
= NULL
;
380 /* If this is not a sealed memfd, and the peer is unknown or
381 * unprivileged, then verify the path. */
383 if (asprintf(&sl
, "/proc/self/fd/%i", fd
) < 0) {
388 r
= readlink_malloc(sl
, &k
);
390 log_error_errno(r
, "readlink(%s) failed: %m", sl
);
394 e
= path_startswith(k
, "/dev/shm/");
396 e
= path_startswith(k
, "/tmp/");
398 e
= path_startswith(k
, "/var/tmp/");
400 log_error("Received file outside of allowed directories. Refusing.");
404 if (!filename_is_valid(e
)) {
405 log_error("Received file in subdirectory of allowed directories. Refusing.");
410 if (fstat(fd
, &st
) < 0) {
411 log_error_errno(errno
, "Failed to stat passed file, ignoring: %m");
415 if (!S_ISREG(st
.st_mode
)) {
416 log_error("File passed is not regular. Ignoring.");
423 if (st
.st_size
> ENTRY_SIZE_MAX
) {
424 log_error("File passed too large. Ignoring.");
432 /* The file is sealed, we can just map it and use it. */
434 ps
= PAGE_ALIGN(st
.st_size
);
435 p
= mmap(NULL
, ps
, PROT_READ
, MAP_PRIVATE
, fd
, 0);
436 if (p
== MAP_FAILED
) {
437 log_error_errno(errno
, "Failed to map memfd, ignoring: %m");
441 server_process_native_message(s
, p
, st
.st_size
, ucred
, tv
, label
, label_len
);
442 assert_se(munmap(p
, ps
) >= 0);
444 _cleanup_free_
void *p
= NULL
;
448 if (fstatvfs(fd
, &vfs
) < 0) {
449 log_error_errno(errno
, "Failed to stat file system of passed file, ignoring: %m");
453 /* Refuse operating on file systems that have
454 * mandatory locking enabled, see:
456 * https://github.com/systemd/systemd/issues/1822
458 if (vfs
.f_flag
& ST_MANDLOCK
) {
459 log_error("Received file descriptor from file system with mandatory locking enable, refusing.");
463 /* Make the fd non-blocking. On regular files this has
464 * the effect of bypassing mandatory locking. Of
465 * course, this should normally not be necessary given
466 * the check above, but let's better be safe than
467 * sorry, after all NFS is pretty confusing regarding
468 * file system flags, and we better don't trust it,
470 r
= fd_nonblock(fd
, true);
472 log_error_errno(r
, "Failed to make fd non-blocking, ignoring: %m");
476 /* The file is not sealed, we can't map the file here, since
477 * clients might then truncate it and trigger a SIGBUS for
478 * us. So let's stupidly read it */
480 p
= malloc(st
.st_size
);
486 n
= pread(fd
, p
, st
.st_size
, 0);
488 log_error_errno(errno
, "Failed to read file, ignoring: %m");
490 server_process_native_message(s
, p
, n
, ucred
, tv
, label
, label_len
);
494 int server_open_native_socket(Server
*s
) {
496 static const union sockaddr_union sa
= {
497 .un
.sun_family
= AF_UNIX
,
498 .un
.sun_path
= "/run/systemd/journal/socket",
500 static const int one
= 1;
505 if (s
->native_fd
< 0) {
506 s
->native_fd
= socket(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
507 if (s
->native_fd
< 0)
508 return log_error_errno(errno
, "socket() failed: %m");
510 (void) unlink(sa
.un
.sun_path
);
512 r
= bind(s
->native_fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
514 return log_error_errno(errno
, "bind(%s) failed: %m", sa
.un
.sun_path
);
516 (void) chmod(sa
.un
.sun_path
, 0666);
518 fd_nonblock(s
->native_fd
, 1);
520 r
= setsockopt(s
->native_fd
, SOL_SOCKET
, SO_PASSCRED
, &one
, sizeof(one
));
522 return log_error_errno(errno
, "SO_PASSCRED failed: %m");
525 if (mac_selinux_use()) {
526 r
= setsockopt(s
->native_fd
, SOL_SOCKET
, SO_PASSSEC
, &one
, sizeof(one
));
528 log_warning_errno(errno
, "SO_PASSSEC failed: %m");
532 r
= setsockopt(s
->native_fd
, SOL_SOCKET
, SO_TIMESTAMP
, &one
, sizeof(one
));
534 return log_error_errno(errno
, "SO_TIMESTAMP failed: %m");
536 r
= sd_event_add_io(s
->event
, &s
->native_event_source
, s
->native_fd
, EPOLLIN
, server_process_datagram
, s
);
538 return log_error_errno(r
, "Failed to add native server fd to event loop: %m");
540 r
= sd_event_source_set_priority(s
->native_event_source
, SD_EVENT_PRIORITY_NORMAL
+5);
542 return log_error_errno(r
, "Failed to adjust native event source priority: %m");