]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/journal/journald-native.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
pkgconfig: define variables relative to ${prefix}/${rootprefix}/${sysconfdir}
[thirdparty/systemd.git] / src / journal / journald-native.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <stddef.h>
4 #include <sys/epoll.h>
5 #include <sys/mman.h>
6 #include <sys/statvfs.h>
7 #include <unistd.h>
8
9 #include "alloc-util.h"
10 #include "fd-util.h"
11 #include "fs-util.h"
12 #include "io-util.h"
13 #include "journal-importer.h"
14 #include "journal-util.h"
15 #include "journald-console.h"
16 #include "journald-kmsg.h"
17 #include "journald-native.h"
18 #include "journald-server.h"
19 #include "journald-syslog.h"
20 #include "journald-wall.h"
21 #include "memfd-util.h"
22 #include "parse-util.h"
23 #include "path-util.h"
24 #include "process-util.h"
25 #include "selinux-util.h"
26 #include "socket-util.h"
27 #include "string-util.h"
28 #include "unaligned.h"
29
30 static bool allow_object_pid(const struct ucred *ucred) {
31 return ucred && ucred->uid == 0;
32 }
33
34 static void server_process_entry_meta(
35 const char *p, size_t l,
36 const struct ucred *ucred,
37 int *priority,
38 char **identifier,
39 char **message,
40 pid_t *object_pid) {
41
42 /* We need to determine the priority of this entry for the rate limiting logic */
43
44 if (l == 10 &&
45 startswith(p, "PRIORITY=") &&
46 p[9] >= '0' && p[9] <= '9')
47 *priority = (*priority & LOG_FACMASK) | (p[9] - '0');
48
49 else if (l == 17 &&
50 startswith(p, "SYSLOG_FACILITY=") &&
51 p[16] >= '0' && p[16] <= '9')
52 *priority = (*priority & LOG_PRIMASK) | ((p[16] - '0') << 3);
53
54 else if (l == 18 &&
55 startswith(p, "SYSLOG_FACILITY=") &&
56 p[16] >= '0' && p[16] <= '9' &&
57 p[17] >= '0' && p[17] <= '9')
58 *priority = (*priority & LOG_PRIMASK) | (((p[16] - '0')*10 + (p[17] - '0')) << 3);
59
60 else if (l >= 19 &&
61 startswith(p, "SYSLOG_IDENTIFIER=")) {
62 char *t;
63
64 t = strndup(p + 18, l - 18);
65 if (t) {
66 free(*identifier);
67 *identifier = t;
68 }
69
70 } else if (l >= 8 &&
71 startswith(p, "MESSAGE=")) {
72 char *t;
73
74 t = strndup(p + 8, l - 8);
75 if (t) {
76 free(*message);
77 *message = t;
78 }
79
80 } else if (l > STRLEN("OBJECT_PID=") &&
81 l < STRLEN("OBJECT_PID=") + DECIMAL_STR_MAX(pid_t) &&
82 startswith(p, "OBJECT_PID=") &&
83 allow_object_pid(ucred)) {
84 char buf[DECIMAL_STR_MAX(pid_t)];
85 memcpy(buf, p + STRLEN("OBJECT_PID="),
86 l - STRLEN("OBJECT_PID="));
87 buf[l-STRLEN("OBJECT_PID=")] = '\0';
88
89 (void) parse_pid(buf, object_pid);
90 }
91 }
92
93 static int server_process_entry(
94 Server *s,
95 const void *buffer, size_t *remaining,
96 ClientContext *context,
97 const struct ucred *ucred,
98 const struct timeval *tv,
99 const char *label, size_t label_len) {
100
101 /* Process a single entry from a native message. Returns 0 if nothing special happened and the message
102 * processing should continue, and a negative or positive value otherwise.
103 *
104 * Note that *remaining is altered on both success and failure. */
105
106 size_t n = 0, j, tn = (size_t) -1, m = 0, entry_size = 0;
107 char *identifier = NULL, *message = NULL;
108 struct iovec *iovec = NULL;
109 int priority = LOG_INFO;
110 pid_t object_pid = 0;
111 const char *p;
112 int r = 0;
113
114 p = buffer;
115
116 while (*remaining > 0) {
117 const char *e, *q;
118
119 e = memchr(p, '\n', *remaining);
120
121 if (!e) {
122 /* Trailing noise, let's ignore it, and flush what we collected */
123 log_debug("Received message with trailing noise, ignoring.");
124 r = 1; /* finish processing of the message */
125 break;
126 }
127
128 if (e == p) {
129 /* Entry separator */
130 *remaining -= 1;
131 break;
132 }
133
134 if (IN_SET(*p, '.', '#')) {
135 /* Ignore control commands for now, and
136 * comments too. */
137 *remaining -= (e - p) + 1;
138 p = e + 1;
139 continue;
140 }
141
142 /* A property follows */
143
144 /* n existing properties, 1 new, +1 for _TRANSPORT */
145 if (!GREEDY_REALLOC(iovec, m,
146 n + 2 +
147 N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS +
148 client_context_extra_fields_n_iovec(context))) {
149 r = log_oom();
150 break;
151 }
152
153 q = memchr(p, '=', e - p);
154 if (q) {
155 if (journal_field_valid(p, q - p, false)) {
156 size_t l;
157
158 l = e - p;
159
160 /* If the field name starts with an underscore, skip the variable, since that indicates
161 * a trusted field */
162 iovec[n++] = IOVEC_MAKE((char*) p, l);
163 entry_size += l;
164
165 server_process_entry_meta(p, l, ucred,
166 &priority,
167 &identifier,
168 &message,
169 &object_pid);
170 }
171
172 *remaining -= (e - p) + 1;
173 p = e + 1;
174 continue;
175 } else {
176 uint64_t l;
177 char *k;
178
179 if (*remaining < e - p + 1 + sizeof(uint64_t) + 1) {
180 log_debug("Failed to parse message, ignoring.");
181 break;
182 }
183
184 l = unaligned_read_le64(e + 1);
185
186 if (l > DATA_SIZE_MAX) {
187 log_debug("Received binary data block of %"PRIu64" bytes is too large, ignoring.", l);
188 break;
189 }
190
191 if ((uint64_t) *remaining < e - p + 1 + sizeof(uint64_t) + l + 1 ||
192 e[1+sizeof(uint64_t)+l] != '\n') {
193 log_debug("Failed to parse message, ignoring.");
194 break;
195 }
196
197 k = malloc((e - p) + 1 + l);
198 if (!k) {
199 log_oom();
200 break;
201 }
202
203 memcpy(k, p, e - p);
204 k[e - p] = '=';
205 memcpy(k + (e - p) + 1, e + 1 + sizeof(uint64_t), l);
206
207 if (journal_field_valid(p, e - p, false)) {
208 iovec[n].iov_base = k;
209 iovec[n].iov_len = (e - p) + 1 + l;
210 entry_size += iovec[n].iov_len;
211 n++;
212
213 server_process_entry_meta(k, (e - p) + 1 + l, ucred,
214 &priority,
215 &identifier,
216 &message,
217 &object_pid);
218 } else
219 free(k);
220
221 *remaining -= (e - p) + 1 + sizeof(uint64_t) + l + 1;
222 p = e + 1 + sizeof(uint64_t) + l + 1;
223 }
224 }
225
226 if (n <= 0) {
227 r = 1;
228 goto finish;
229 }
230
231 if (!client_context_test_priority(context, priority)) {
232 r = 0;
233 goto finish;
234 }
235
236 tn = n++;
237 iovec[tn] = IOVEC_MAKE_STRING("_TRANSPORT=journal");
238 entry_size += STRLEN("_TRANSPORT=journal");
239
240 if (entry_size + n + 1 > ENTRY_SIZE_MAX) { /* data + separators + trailer */
241 log_debug("Entry is too big with %zu properties and %zu bytes, ignoring.", n, entry_size);
242 goto finish;
243 }
244
245 if (message) {
246 if (s->forward_to_syslog)
247 server_forward_syslog(s, syslog_fixup_facility(priority), identifier, message, ucred, tv);
248
249 if (s->forward_to_kmsg)
250 server_forward_kmsg(s, priority, identifier, message, ucred);
251
252 if (s->forward_to_console)
253 server_forward_console(s, priority, identifier, message, ucred);
254
255 if (s->forward_to_wall)
256 server_forward_wall(s, priority, identifier, message, ucred);
257 }
258
259 server_dispatch_message(s, iovec, n, m, context, tv, priority, object_pid);
260
261 finish:
262 for (j = 0; j < n; j++) {
263 if (j == tn)
264 continue;
265
266 if (iovec[j].iov_base < buffer ||
267 (const char*) iovec[j].iov_base >= p + *remaining)
268 free(iovec[j].iov_base);
269 }
270
271 free(iovec);
272 free(identifier);
273 free(message);
274
275 return r;
276 }
277
278 void server_process_native_message(
279 Server *s,
280 const char *buffer, size_t buffer_size,
281 const struct ucred *ucred,
282 const struct timeval *tv,
283 const char *label, size_t label_len) {
284
285 size_t remaining = buffer_size;
286 ClientContext *context = NULL;
287 int r;
288
289 assert(s);
290 assert(buffer || buffer_size == 0);
291
292 if (ucred && pid_is_valid(ucred->pid)) {
293 r = client_context_get(s, ucred->pid, ucred, label, label_len, NULL, &context);
294 if (r < 0)
295 log_warning_errno(r, "Failed to retrieve credentials for PID " PID_FMT ", ignoring: %m", ucred->pid);
296 }
297
298 do {
299 r = server_process_entry(s,
300 (const uint8_t*) buffer + (buffer_size - remaining), &remaining,
301 context, ucred, tv, label, label_len);
302 } while (r == 0);
303 }
304
305 void server_process_native_file(
306 Server *s,
307 int fd,
308 const struct ucred *ucred,
309 const struct timeval *tv,
310 const char *label, size_t label_len) {
311
312 struct stat st;
313 bool sealed;
314 int r;
315
316 /* Data is in the passed fd, since it didn't fit in a
317 * datagram. */
318
319 assert(s);
320 assert(fd >= 0);
321
322 /* If it's a memfd, check if it is sealed. If so, we can just
323 * use map it and use it, and do not need to copy the data
324 * out. */
325 sealed = memfd_get_sealed(fd) > 0;
326
327 if (!sealed && (!ucred || ucred->uid != 0)) {
328 _cleanup_free_ char *k = NULL;
329 const char *e;
330
331 /* If this is not a sealed memfd, and the peer is unknown or
332 * unprivileged, then verify the path. */
333
334 r = fd_get_path(fd, &k);
335 if (r < 0) {
336 log_error_errno(r, "readlink(/proc/self/fd/%i) failed: %m", fd);
337 return;
338 }
339
340 e = path_startswith(k, "/dev/shm/");
341 if (!e)
342 e = path_startswith(k, "/tmp/");
343 if (!e)
344 e = path_startswith(k, "/var/tmp/");
345 if (!e) {
346 log_error("Received file outside of allowed directories. Refusing.");
347 return;
348 }
349
350 if (!filename_is_valid(e)) {
351 log_error("Received file in subdirectory of allowed directories. Refusing.");
352 return;
353 }
354 }
355
356 if (fstat(fd, &st) < 0) {
357 log_error_errno(errno, "Failed to stat passed file, ignoring: %m");
358 return;
359 }
360
361 if (!S_ISREG(st.st_mode)) {
362 log_error("File passed is not regular. Ignoring.");
363 return;
364 }
365
366 if (st.st_size <= 0)
367 return;
368
369 if (st.st_size > ENTRY_SIZE_MAX) {
370 log_error("File passed too large. Ignoring.");
371 return;
372 }
373
374 if (sealed) {
375 void *p;
376 size_t ps;
377
378 /* The file is sealed, we can just map it and use it. */
379
380 ps = PAGE_ALIGN(st.st_size);
381 p = mmap(NULL, ps, PROT_READ, MAP_PRIVATE, fd, 0);
382 if (p == MAP_FAILED) {
383 log_error_errno(errno, "Failed to map memfd, ignoring: %m");
384 return;
385 }
386
387 server_process_native_message(s, p, st.st_size, ucred, tv, label, label_len);
388 assert_se(munmap(p, ps) >= 0);
389 } else {
390 _cleanup_free_ void *p = NULL;
391 struct statvfs vfs;
392 ssize_t n;
393
394 if (fstatvfs(fd, &vfs) < 0) {
395 log_error_errno(errno, "Failed to stat file system of passed file, ignoring: %m");
396 return;
397 }
398
399 /* Refuse operating on file systems that have
400 * mandatory locking enabled, see:
401 *
402 * https://github.com/systemd/systemd/issues/1822
403 */
404 if (vfs.f_flag & ST_MANDLOCK) {
405 log_error("Received file descriptor from file system with mandatory locking enabled, refusing.");
406 return;
407 }
408
409 /* Make the fd non-blocking. On regular files this has
410 * the effect of bypassing mandatory locking. Of
411 * course, this should normally not be necessary given
412 * the check above, but let's better be safe than
413 * sorry, after all NFS is pretty confusing regarding
414 * file system flags, and we better don't trust it,
415 * and so is SMB. */
416 r = fd_nonblock(fd, true);
417 if (r < 0) {
418 log_error_errno(r, "Failed to make fd non-blocking, ignoring: %m");
419 return;
420 }
421
422 /* The file is not sealed, we can't map the file here, since
423 * clients might then truncate it and trigger a SIGBUS for
424 * us. So let's stupidly read it */
425
426 p = malloc(st.st_size);
427 if (!p) {
428 log_oom();
429 return;
430 }
431
432 n = pread(fd, p, st.st_size, 0);
433 if (n < 0)
434 log_error_errno(errno, "Failed to read file, ignoring: %m");
435 else if (n > 0)
436 server_process_native_message(s, p, n, ucred, tv, label, label_len);
437 }
438 }
439
440 int server_open_native_socket(Server*s) {
441
442 static const union sockaddr_union sa = {
443 .un.sun_family = AF_UNIX,
444 .un.sun_path = "/run/systemd/journal/socket",
445 };
446 int r;
447
448 assert(s);
449
450 if (s->native_fd < 0) {
451 s->native_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
452 if (s->native_fd < 0)
453 return log_error_errno(errno, "socket() failed: %m");
454
455 (void) sockaddr_un_unlink(&sa.un);
456
457 r = bind(s->native_fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
458 if (r < 0)
459 return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);
460
461 (void) chmod(sa.un.sun_path, 0666);
462 } else
463 (void) fd_nonblock(s->native_fd, true);
464
465 r = setsockopt_int(s->native_fd, SOL_SOCKET, SO_PASSCRED, true);
466 if (r < 0)
467 return log_error_errno(r, "SO_PASSCRED failed: %m");
468
469 #if HAVE_SELINUX
470 if (mac_selinux_use()) {
471 r = setsockopt_int(s->native_fd, SOL_SOCKET, SO_PASSSEC, true);
472 if (r < 0)
473 log_warning_errno(r, "SO_PASSSEC failed: %m");
474 }
475 #endif
476
477 r = setsockopt_int(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, true);
478 if (r < 0)
479 return log_error_errno(r, "SO_TIMESTAMP failed: %m");
480
481 r = sd_event_add_io(s->event, &s->native_event_source, s->native_fd, EPOLLIN, server_process_datagram, s);
482 if (r < 0)
483 return log_error_errno(r, "Failed to add native server fd to event loop: %m");
484
485 r = sd_event_source_set_priority(s->native_event_source, SD_EVENT_PRIORITY_NORMAL+5);
486 if (r < 0)
487 return log_error_errno(r, "Failed to adjust native event source priority: %m");
488
489 return 0;
490 }
Unnamed repository; edit this file 'description' to name the repository.