I think this is the most important of the capabilities bitmasks to log.
* teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
-* we should log capabilities too
-
* Support SO_REUSEPORT with socket activation:
- Let systemd maintain a pool of servers.
- Use for seamless upgrades, by running the new server before stopping the
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>_CAP_EFFECTIVE=</varname></term>
+ <listitem>
+ <para>The effective <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> of
+ the process the journal entry
+ originates from.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>_AUDIT_SESSION=</varname></term>
<term><varname>_AUDIT_LOGINUID=</varname></term>
IOVEC_SET_STRING(iovec[n++], x);
}
+ r = get_process_capeff(ucred->pid, &t);
+ if (r >= 0) {
+ x = strappenda("_CAP_EFFECTIVE=", t);
+ free(t);
+ IOVEC_SET_STRING(iovec[n++], x);
+ }
+
#ifdef HAVE_AUDIT
r = audit_session_from_pid(ucred->pid, &audit);
if (r >= 0) {
return 0;
}
+int get_process_capeff(pid_t pid, char **capeff) {
+ const char *p;
+ _cleanup_free_ char *status = NULL;
+ char *t = NULL;
+ int r;
+
+ assert(capeff);
+ assert(pid >= 0);
+
+ if (pid == 0)
+ p = "/proc/self/status";
+ else
+ p = procfs_file_alloca(pid, "status");
+
+ r = read_full_file(p, &status, NULL);
+ if (r < 0)
+ return r;
+
+ t = strstr(status, "\nCapEff:\t");
+ if (!t)
+ return -ENOENT;
+
+ for (t += strlen("\nCapEff:\t"); t[0] == '0'; t++)
+ continue;
+
+ if (t[0] == '\n')
+ t--;
+
+ *capeff = strndup(t, strchr(t, '\n') - t);
+ if (!*capeff)
+ return -ENOMEM;
+
+ return 0;
+}
int get_process_exe(pid_t pid, char **name) {
const char *p;
int get_process_exe(pid_t pid, char **name);
int get_process_uid(pid_t pid, uid_t *uid);
int get_process_gid(pid_t pid, gid_t *gid);
+int get_process_capeff(pid_t pid, char **capeff);
char hexchar(int x) _const_;
int unhexchar(char c) _const_;