]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/journal/journald-native.c
projects / thirdparty / systemd.git / blob
? search:


554f91460d45f0597cb4bfb3682cd5ede236e343
[thirdparty/systemd.git] / src / journal / journald-native.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2011 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <stddef.h>
21 #include <sys/epoll.h>
22 #include <sys/mman.h>
23 #include <sys/statvfs.h>
24 #include <unistd.h>
25
26 #include "alloc-util.h"
27 #include "fd-util.h"
28 #include "fs-util.h"
29 #include "io-util.h"
30 #include "journal-importer.h"
31 #include "journald-console.h"
32 #include "journald-kmsg.h"
33 #include "journald-native.h"
34 #include "journald-server.h"
35 #include "journald-syslog.h"
36 #include "journald-wall.h"
37 #include "memfd-util.h"
38 #include "parse-util.h"
39 #include "path-util.h"
40 #include "process-util.h"
41 #include "selinux-util.h"
42 #include "socket-util.h"
43 #include "string-util.h"
44 #include "unaligned.h"
45
46 bool valid_user_field(const char *p, size_t l, bool allow_protected) {
47 const char *a;
48
49 /* We kinda enforce POSIX syntax recommendations for
50 environment variables here, but make a couple of additional
51 requirements.
52
53 http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html */
54
55 /* No empty field names */
56 if (l <= 0)
57 return false;
58
59 /* Don't allow names longer than 64 chars */
60 if (l > 64)
61 return false;
62
63 /* Variables starting with an underscore are protected */
64 if (!allow_protected && p[0] == '_')
65 return false;
66
67 /* Don't allow digits as first character */
68 if (p[0] >= '0' && p[0] <= '9')
69 return false;
70
71 /* Only allow A-Z0-9 and '_' */
72 for (a = p; a < p + l; a++)
73 if ((*a < 'A' || *a > 'Z') &&
74 (*a < '0' || *a > '9') &&
75 *a != '_')
76 return false;
77
78 return true;
79 }
80
81 static bool allow_object_pid(const struct ucred *ucred) {
82 return ucred && ucred->uid == 0;
83 }
84
85 static void server_process_entry_meta(
86 const char *p, size_t l,
87 const struct ucred *ucred,
88 int *priority,
89 char **identifier,
90 char **message,
91 pid_t *object_pid) {
92
93 /* We need to determine the priority of this entry for the rate limiting logic */
94
95 if (l == 10 &&
96 startswith(p, "PRIORITY=") &&
97 p[9] >= '0' && p[9] <= '9')
98 *priority = (*priority & LOG_FACMASK) | (p[9] - '0');
99
100 else if (l == 17 &&
101 startswith(p, "SYSLOG_FACILITY=") &&
102 p[16] >= '0' && p[16] <= '9')
103 *priority = (*priority & LOG_PRIMASK) | ((p[16] - '0') << 3);
104
105 else if (l == 18 &&
106 startswith(p, "SYSLOG_FACILITY=") &&
107 p[16] >= '0' && p[16] <= '9' &&
108 p[17] >= '0' && p[17] <= '9')
109 *priority = (*priority & LOG_PRIMASK) | (((p[16] - '0')*10 + (p[17] - '0')) << 3);
110
111 else if (l >= 19 &&
112 startswith(p, "SYSLOG_IDENTIFIER=")) {
113 char *t;
114
115 t = strndup(p + 18, l - 18);
116 if (t) {
117 free(*identifier);
118 *identifier = t;
119 }
120
121 } else if (l >= 8 &&
122 startswith(p, "MESSAGE=")) {
123 char *t;
124
125 t = strndup(p + 8, l - 8);
126 if (t) {
127 free(*message);
128 *message = t;
129 }
130
131 } else if (l > strlen("OBJECT_PID=") &&
132 l < strlen("OBJECT_PID=") + DECIMAL_STR_MAX(pid_t) &&
133 startswith(p, "OBJECT_PID=") &&
134 allow_object_pid(ucred)) {
135 char buf[DECIMAL_STR_MAX(pid_t)];
136 memcpy(buf, p + strlen("OBJECT_PID="), l - strlen("OBJECT_PID="));
137 buf[l-strlen("OBJECT_PID=")] = '\0';
138
139 (void) parse_pid(buf, object_pid);
140 }
141 }
142
143 static int server_process_entry(
144 Server *s,
145 const void *buffer, size_t *remaining,
146 ClientContext *context,
147 const struct ucred *ucred,
148 const struct timeval *tv,
149 const char *label, size_t label_len) {
150
151 /* Process a single entry from a native message.
152 * Returns 0 if nothing special happened and the message processing should continue,
153 * and a negative or positive value otherwise.
154 *
155 * Note that *remaining is altered on both success and failure. */
156
157 struct iovec *iovec = NULL;
158 unsigned n = 0, j, tn = (unsigned) -1;
159 const char *p;
160 size_t m = 0, entry_size = 0;
161 int priority = LOG_INFO;
162 char *identifier = NULL, *message = NULL;
163 pid_t object_pid = 0;
164 int r = 0;
165
166 p = buffer;
167
168 while (*remaining > 0) {
169 const char *e, *q;
170
171 e = memchr(p, '\n', *remaining);
172
173 if (!e) {
174 /* Trailing noise, let's ignore it, and flush what we collected */
175 log_debug("Received message with trailing noise, ignoring.");
176 r = 1; /* finish processing of the message */
177 break;
178 }
179
180 if (e == p) {
181 /* Entry separator */
182 *remaining -= 1;
183 break;
184 }
185
186 if (*p == '.' || *p == '#') {
187 /* Ignore control commands for now, and
188 * comments too. */
189 *remaining -= (e - p) + 1;
190 p = e + 1;
191 continue;
192 }
193
194 /* A property follows */
195
196 /* n existing properties, 1 new, +1 for _TRANSPORT */
197 if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
198 r = log_oom();
199 break;
200 }
201
202 q = memchr(p, '=', e - p);
203 if (q) {
204 if (valid_user_field(p, q - p, false)) {
205 size_t l;
206
207 l = e - p;
208
209 /* If the field name starts with an
210 * underscore, skip the variable,
211 * since that indicates a trusted
212 * field */
213 iovec[n].iov_base = (char*) p;
214 iovec[n].iov_len = l;
215 entry_size += l;
216 n++;
217
218 server_process_entry_meta(p, l, ucred,
219 &priority,
220 &identifier,
221 &message,
222 &object_pid);
223 }
224
225 *remaining -= (e - p) + 1;
226 p = e + 1;
227 continue;
228 } else {
229 uint64_t l;
230 char *k;
231
232 if (*remaining < e - p + 1 + sizeof(uint64_t) + 1) {
233 log_debug("Failed to parse message, ignoring.");
234 break;
235 }
236
237 l = unaligned_read_le64(e + 1);
238
239 if (l > DATA_SIZE_MAX) {
240 log_debug("Received binary data block of %"PRIu64" bytes is too large, ignoring.", l);
241 break;
242 }
243
244 if ((uint64_t) *remaining < e - p + 1 + sizeof(uint64_t) + l + 1 ||
245 e[1+sizeof(uint64_t)+l] != '\n') {
246 log_debug("Failed to parse message, ignoring.");
247 break;
248 }
249
250 k = malloc((e - p) + 1 + l);
251 if (!k) {
252 log_oom();
253 break;
254 }
255
256 memcpy(k, p, e - p);
257 k[e - p] = '=';
258 memcpy(k + (e - p) + 1, e + 1 + sizeof(uint64_t), l);
259
260 if (valid_user_field(p, e - p, false)) {
261 iovec[n].iov_base = k;
262 iovec[n].iov_len = (e - p) + 1 + l;
263 entry_size += iovec[n].iov_len;
264 n++;
265
266 server_process_entry_meta(k, (e - p) + 1 + l, ucred,
267 &priority,
268 &identifier,
269 &message,
270 &object_pid);
271 } else
272 free(k);
273
274 *remaining -= (e - p) + 1 + sizeof(uint64_t) + l + 1;
275 p = e + 1 + sizeof(uint64_t) + l + 1;
276 }
277 }
278
279 if (n <= 0) {
280 r = 1;
281 goto finish;
282 }
283
284 tn = n++;
285 iovec[tn] = IOVEC_MAKE_STRING("_TRANSPORT=journal");
286 entry_size += strlen("_TRANSPORT=journal");
287
288 if (entry_size + n + 1 > ENTRY_SIZE_MAX) { /* data + separators + trailer */
289 log_debug("Entry is too big with %u properties and %zu bytes, ignoring.",
290 n, entry_size);
291 goto finish;
292 }
293
294 if (message) {
295 if (s->forward_to_syslog)
296 server_forward_syslog(s, syslog_fixup_facility(priority), identifier, message, ucred, tv);
297
298 if (s->forward_to_kmsg)
299 server_forward_kmsg(s, priority, identifier, message, ucred);
300
301 if (s->forward_to_console)
302 server_forward_console(s, priority, identifier, message, ucred);
303
304 if (s->forward_to_wall)
305 server_forward_wall(s, priority, identifier, message, ucred);
306 }
307
308 server_dispatch_message(s, iovec, n, m, context, tv, priority, object_pid);
309
310 finish:
311 for (j = 0; j < n; j++) {
312 if (j == tn)
313 continue;
314
315 if (iovec[j].iov_base < buffer ||
316 (const char*) iovec[j].iov_base >= p + *remaining)
317 free(iovec[j].iov_base);
318 }
319
320 free(iovec);
321 free(identifier);
322 free(message);
323
324 return r;
325 }
326
327 void server_process_native_message(
328 Server *s,
329 const void *buffer, size_t buffer_size,
330 const struct ucred *ucred,
331 const struct timeval *tv,
332 const char *label, size_t label_len) {
333
334 size_t remaining = buffer_size;
335 ClientContext *context;
336 int r;
337
338 assert(s);
339 assert(buffer || buffer_size == 0);
340
341 if (ucred && pid_is_valid(ucred->pid)) {
342 r = client_context_get(s, ucred->pid, ucred, label, label_len, NULL, &context);
343 if (r < 0)
344 log_warning_errno(r, "Failed to retrieve credentials for PID " PID_FMT ", ignoring: %m", ucred->pid);
345 }
346
347 do {
348 r = server_process_entry(s,
349 (const uint8_t*) buffer + (buffer_size - remaining), &remaining,
350 context, ucred, tv, label, label_len);
351 } while (r == 0);
352 }
353
354 void server_process_native_file(
355 Server *s,
356 int fd,
357 const struct ucred *ucred,
358 const struct timeval *tv,
359 const char *label, size_t label_len) {
360
361 struct stat st;
362 bool sealed;
363 int r;
364
365 /* Data is in the passed fd, since it didn't fit in a
366 * datagram. */
367
368 assert(s);
369 assert(fd >= 0);
370
371 /* If it's a memfd, check if it is sealed. If so, we can just
372 * use map it and use it, and do not need to copy the data
373 * out. */
374 sealed = memfd_get_sealed(fd) > 0;
375
376 if (!sealed && (!ucred || ucred->uid != 0)) {
377 _cleanup_free_ char *sl = NULL, *k = NULL;
378 const char *e;
379
380 /* If this is not a sealed memfd, and the peer is unknown or
381 * unprivileged, then verify the path. */
382
383 if (asprintf(&sl, "/proc/self/fd/%i", fd) < 0) {
384 log_oom();
385 return;
386 }
387
388 r = readlink_malloc(sl, &k);
389 if (r < 0) {
390 log_error_errno(r, "readlink(%s) failed: %m", sl);
391 return;
392 }
393
394 e = path_startswith(k, "/dev/shm/");
395 if (!e)
396 e = path_startswith(k, "/tmp/");
397 if (!e)
398 e = path_startswith(k, "/var/tmp/");
399 if (!e) {
400 log_error("Received file outside of allowed directories. Refusing.");
401 return;
402 }
403
404 if (!filename_is_valid(e)) {
405 log_error("Received file in subdirectory of allowed directories. Refusing.");
406 return;
407 }
408 }
409
410 if (fstat(fd, &st) < 0) {
411 log_error_errno(errno, "Failed to stat passed file, ignoring: %m");
412 return;
413 }
414
415 if (!S_ISREG(st.st_mode)) {
416 log_error("File passed is not regular. Ignoring.");
417 return;
418 }
419
420 if (st.st_size <= 0)
421 return;
422
423 if (st.st_size > ENTRY_SIZE_MAX) {
424 log_error("File passed too large. Ignoring.");
425 return;
426 }
427
428 if (sealed) {
429 void *p;
430 size_t ps;
431
432 /* The file is sealed, we can just map it and use it. */
433
434 ps = PAGE_ALIGN(st.st_size);
435 p = mmap(NULL, ps, PROT_READ, MAP_PRIVATE, fd, 0);
436 if (p == MAP_FAILED) {
437 log_error_errno(errno, "Failed to map memfd, ignoring: %m");
438 return;
439 }
440
441 server_process_native_message(s, p, st.st_size, ucred, tv, label, label_len);
442 assert_se(munmap(p, ps) >= 0);
443 } else {
444 _cleanup_free_ void *p = NULL;
445 struct statvfs vfs;
446 ssize_t n;
447
448 if (fstatvfs(fd, &vfs) < 0) {
449 log_error_errno(errno, "Failed to stat file system of passed file, ignoring: %m");
450 return;
451 }
452
453 /* Refuse operating on file systems that have
454 * mandatory locking enabled, see:
455 *
456 * https://github.com/systemd/systemd/issues/1822
457 */
458 if (vfs.f_flag & ST_MANDLOCK) {
459 log_error("Received file descriptor from file system with mandatory locking enable, refusing.");
460 return;
461 }
462
463 /* Make the fd non-blocking. On regular files this has
464 * the effect of bypassing mandatory locking. Of
465 * course, this should normally not be necessary given
466 * the check above, but let's better be safe than
467 * sorry, after all NFS is pretty confusing regarding
468 * file system flags, and we better don't trust it,
469 * and so is SMB. */
470 r = fd_nonblock(fd, true);
471 if (r < 0) {
472 log_error_errno(r, "Failed to make fd non-blocking, ignoring: %m");
473 return;
474 }
475
476 /* The file is not sealed, we can't map the file here, since
477 * clients might then truncate it and trigger a SIGBUS for
478 * us. So let's stupidly read it */
479
480 p = malloc(st.st_size);
481 if (!p) {
482 log_oom();
483 return;
484 }
485
486 n = pread(fd, p, st.st_size, 0);
487 if (n < 0)
488 log_error_errno(errno, "Failed to read file, ignoring: %m");
489 else if (n > 0)
490 server_process_native_message(s, p, n, ucred, tv, label, label_len);
491 }
492 }
493
494 int server_open_native_socket(Server*s) {
495
496 static const union sockaddr_union sa = {
497 .un.sun_family = AF_UNIX,
498 .un.sun_path = "/run/systemd/journal/socket",
499 };
500 static const int one = 1;
501 int r;
502
503 assert(s);
504
505 if (s->native_fd < 0) {
506 s->native_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
507 if (s->native_fd < 0)
508 return log_error_errno(errno, "socket() failed: %m");
509
510 (void) unlink(sa.un.sun_path);
511
512 r = bind(s->native_fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
513 if (r < 0)
514 return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);
515
516 (void) chmod(sa.un.sun_path, 0666);
517 } else
518 fd_nonblock(s->native_fd, 1);
519
520 r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
521 if (r < 0)
522 return log_error_errno(errno, "SO_PASSCRED failed: %m");
523
524 #ifdef HAVE_SELINUX
525 if (mac_selinux_use()) {
526 r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
527 if (r < 0)
528 log_warning_errno(errno, "SO_PASSSEC failed: %m");
529 }
530 #endif
531
532 r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
533 if (r < 0)
534 return log_error_errno(errno, "SO_TIMESTAMP failed: %m");
535
536 r = sd_event_add_io(s->event, &s->native_event_source, s->native_fd, EPOLLIN, server_process_datagram, s);
537 if (r < 0)
538 return log_error_errno(r, "Failed to add native server fd to event loop: %m");
539
540 r = sd_event_source_set_priority(s->native_event_source, SD_EVENT_PRIORITY_NORMAL+5);
541 if (r < 0)
542 return log_error_errno(r, "Failed to adjust native event source priority: %m");
543
544 return 0;
545 }
Unnamed repository; edit this file 'description' to name the repository.