]> git.proxmox.com Git - systemd.git/blob - src/journal/journald-native.c
projects / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'upstream/229'
[systemd.git] / src / journal / journald-native.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2011 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <stddef.h>
21 #include <sys/epoll.h>
22 #include <sys/mman.h>
23 #include <sys/statvfs.h>
24 #include <unistd.h>
25
26 #include "alloc-util.h"
27 #include "fd-util.h"
28 #include "fs-util.h"
29 #include "io-util.h"
30 #include "journald-console.h"
31 #include "journald-kmsg.h"
32 #include "journald-native.h"
33 #include "journald-server.h"
34 #include "journald-syslog.h"
35 #include "journald-wall.h"
36 #include "memfd-util.h"
37 #include "parse-util.h"
38 #include "path-util.h"
39 #include "selinux-util.h"
40 #include "socket-util.h"
41 #include "string-util.h"
42
43 bool valid_user_field(const char *p, size_t l, bool allow_protected) {
44 const char *a;
45
46 /* We kinda enforce POSIX syntax recommendations for
47 environment variables here, but make a couple of additional
48 requirements.
49
50 http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html */
51
52 /* No empty field names */
53 if (l <= 0)
54 return false;
55
56 /* Don't allow names longer than 64 chars */
57 if (l > 64)
58 return false;
59
60 /* Variables starting with an underscore are protected */
61 if (!allow_protected && p[0] == '_')
62 return false;
63
64 /* Don't allow digits as first character */
65 if (p[0] >= '0' && p[0] <= '9')
66 return false;
67
68 /* Only allow A-Z0-9 and '_' */
69 for (a = p; a < p + l; a++)
70 if ((*a < 'A' || *a > 'Z') &&
71 (*a < '0' || *a > '9') &&
72 *a != '_')
73 return false;
74
75 return true;
76 }
77
78 static bool allow_object_pid(const struct ucred *ucred) {
79 return ucred && ucred->uid == 0;
80 }
81
82 void server_process_native_message(
83 Server *s,
84 const void *buffer, size_t buffer_size,
85 const struct ucred *ucred,
86 const struct timeval *tv,
87 const char *label, size_t label_len) {
88
89 struct iovec *iovec = NULL;
90 unsigned n = 0, j, tn = (unsigned) -1;
91 const char *p;
92 size_t remaining, m = 0, entry_size = 0;
93 int priority = LOG_INFO;
94 char *identifier = NULL, *message = NULL;
95 pid_t object_pid = 0;
96
97 assert(s);
98 assert(buffer || buffer_size == 0);
99
100 p = buffer;
101 remaining = buffer_size;
102
103 while (remaining > 0) {
104 const char *e, *q;
105
106 e = memchr(p, '\n', remaining);
107
108 if (!e) {
109 /* Trailing noise, let's ignore it, and flush what we collected */
110 log_debug("Received message with trailing noise, ignoring.");
111 break;
112 }
113
114 if (e == p) {
115 /* Entry separator */
116
117 if (entry_size + n + 1 > ENTRY_SIZE_MAX) { /* data + separators + trailer */
118 log_debug("Entry is too big with %u properties and %zu bytes, ignoring.", n, entry_size);
119 continue;
120 }
121
122 server_dispatch_message(s, iovec, n, m, ucred, tv, label, label_len, NULL, priority, object_pid);
123 n = 0;
124 priority = LOG_INFO;
125 entry_size = 0;
126
127 p++;
128 remaining--;
129 continue;
130 }
131
132 if (*p == '.' || *p == '#') {
133 /* Ignore control commands for now, and
134 * comments too. */
135 remaining -= (e - p) + 1;
136 p = e + 1;
137 continue;
138 }
139
140 /* A property follows */
141
142 /* n existing properties, 1 new, +1 for _TRANSPORT */
143 if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
144 log_oom();
145 break;
146 }
147
148 q = memchr(p, '=', e - p);
149 if (q) {
150 if (valid_user_field(p, q - p, false)) {
151 size_t l;
152
153 l = e - p;
154
155 /* If the field name starts with an
156 * underscore, skip the variable,
157 * since that indidates a trusted
158 * field */
159 iovec[n].iov_base = (char*) p;
160 iovec[n].iov_len = l;
161 entry_size += iovec[n].iov_len;
162 n++;
163
164 /* We need to determine the priority
165 * of this entry for the rate limiting
166 * logic */
167 if (l == 10 &&
168 startswith(p, "PRIORITY=") &&
169 p[9] >= '0' && p[9] <= '9')
170 priority = (priority & LOG_FACMASK) | (p[9] - '0');
171
172 else if (l == 17 &&
173 startswith(p, "SYSLOG_FACILITY=") &&
174 p[16] >= '0' && p[16] <= '9')
175 priority = (priority & LOG_PRIMASK) | ((p[16] - '0') << 3);
176
177 else if (l == 18 &&
178 startswith(p, "SYSLOG_FACILITY=") &&
179 p[16] >= '0' && p[16] <= '9' &&
180 p[17] >= '0' && p[17] <= '9')
181 priority = (priority & LOG_PRIMASK) | (((p[16] - '0')*10 + (p[17] - '0')) << 3);
182
183 else if (l >= 19 &&
184 startswith(p, "SYSLOG_IDENTIFIER=")) {
185 char *t;
186
187 t = strndup(p + 18, l - 18);
188 if (t) {
189 free(identifier);
190 identifier = t;
191 }
192
193 } else if (l >= 8 &&
194 startswith(p, "MESSAGE=")) {
195 char *t;
196
197 t = strndup(p + 8, l - 8);
198 if (t) {
199 free(message);
200 message = t;
201 }
202
203 } else if (l > strlen("OBJECT_PID=") &&
204 l < strlen("OBJECT_PID=") + DECIMAL_STR_MAX(pid_t) &&
205 startswith(p, "OBJECT_PID=") &&
206 allow_object_pid(ucred)) {
207 char buf[DECIMAL_STR_MAX(pid_t)];
208 memcpy(buf, p + strlen("OBJECT_PID="), l - strlen("OBJECT_PID="));
209 char_array_0(buf);
210
211 /* ignore error */
212 parse_pid(buf, &object_pid);
213 }
214 }
215
216 remaining -= (e - p) + 1;
217 p = e + 1;
218 continue;
219 } else {
220 le64_t l_le;
221 uint64_t l;
222 char *k;
223
224 if (remaining < e - p + 1 + sizeof(uint64_t) + 1) {
225 log_debug("Failed to parse message, ignoring.");
226 break;
227 }
228
229 memcpy(&l_le, e + 1, sizeof(uint64_t));
230 l = le64toh(l_le);
231
232 if (l > DATA_SIZE_MAX) {
233 log_debug("Received binary data block of %"PRIu64" bytes is too large, ignoring.", l);
234 break;
235 }
236
237 if ((uint64_t) remaining < e - p + 1 + sizeof(uint64_t) + l + 1 ||
238 e[1+sizeof(uint64_t)+l] != '\n') {
239 log_debug("Failed to parse message, ignoring.");
240 break;
241 }
242
243 k = malloc((e - p) + 1 + l);
244 if (!k) {
245 log_oom();
246 break;
247 }
248
249 memcpy(k, p, e - p);
250 k[e - p] = '=';
251 memcpy(k + (e - p) + 1, e + 1 + sizeof(uint64_t), l);
252
253 if (valid_user_field(p, e - p, false)) {
254 iovec[n].iov_base = k;
255 iovec[n].iov_len = (e - p) + 1 + l;
256 entry_size += iovec[n].iov_len;
257 n++;
258 } else
259 free(k);
260
261 remaining -= (e - p) + 1 + sizeof(uint64_t) + l + 1;
262 p = e + 1 + sizeof(uint64_t) + l + 1;
263 }
264 }
265
266 if (n <= 0)
267 goto finish;
268
269 tn = n++;
270 IOVEC_SET_STRING(iovec[tn], "_TRANSPORT=journal");
271 entry_size += strlen("_TRANSPORT=journal");
272
273 if (entry_size + n + 1 > ENTRY_SIZE_MAX) { /* data + separators + trailer */
274 log_debug("Entry is too big with %u properties and %zu bytes, ignoring.",
275 n, entry_size);
276 goto finish;
277 }
278
279 if (message) {
280 if (s->forward_to_syslog)
281 server_forward_syslog(s, priority, identifier, message, ucred, tv);
282
283 if (s->forward_to_kmsg)
284 server_forward_kmsg(s, priority, identifier, message, ucred);
285
286 if (s->forward_to_console)
287 server_forward_console(s, priority, identifier, message, ucred);
288
289 if (s->forward_to_wall)
290 server_forward_wall(s, priority, identifier, message, ucred);
291 }
292
293 server_dispatch_message(s, iovec, n, m, ucred, tv, label, label_len, NULL, priority, object_pid);
294
295 finish:
296 for (j = 0; j < n; j++) {
297 if (j == tn)
298 continue;
299
300 if (iovec[j].iov_base < buffer ||
301 (const uint8_t*) iovec[j].iov_base >= (const uint8_t*) buffer + buffer_size)
302 free(iovec[j].iov_base);
303 }
304
305 free(iovec);
306 free(identifier);
307 free(message);
308 }
309
310 void server_process_native_file(
311 Server *s,
312 int fd,
313 const struct ucred *ucred,
314 const struct timeval *tv,
315 const char *label, size_t label_len) {
316
317 struct stat st;
318 bool sealed;
319 int r;
320
321 /* Data is in the passed fd, since it didn't fit in a
322 * datagram. */
323
324 assert(s);
325 assert(fd >= 0);
326
327 /* If it's a memfd, check if it is sealed. If so, we can just
328 * use map it and use it, and do not need to copy the data
329 * out. */
330 sealed = memfd_get_sealed(fd) > 0;
331
332 if (!sealed && (!ucred || ucred->uid != 0)) {
333 _cleanup_free_ char *sl = NULL, *k = NULL;
334 const char *e;
335
336 /* If this is not a sealed memfd, and the peer is unknown or
337 * unprivileged, then verify the path. */
338
339 if (asprintf(&sl, "/proc/self/fd/%i", fd) < 0) {
340 log_oom();
341 return;
342 }
343
344 r = readlink_malloc(sl, &k);
345 if (r < 0) {
346 log_error_errno(r, "readlink(%s) failed: %m", sl);
347 return;
348 }
349
350 e = path_startswith(k, "/dev/shm/");
351 if (!e)
352 e = path_startswith(k, "/tmp/");
353 if (!e)
354 e = path_startswith(k, "/var/tmp/");
355 if (!e) {
356 log_error("Received file outside of allowed directories. Refusing.");
357 return;
358 }
359
360 if (!filename_is_valid(e)) {
361 log_error("Received file in subdirectory of allowed directories. Refusing.");
362 return;
363 }
364 }
365
366 if (fstat(fd, &st) < 0) {
367 log_error_errno(errno, "Failed to stat passed file, ignoring: %m");
368 return;
369 }
370
371 if (!S_ISREG(st.st_mode)) {
372 log_error("File passed is not regular. Ignoring.");
373 return;
374 }
375
376 if (st.st_size <= 0)
377 return;
378
379 if (st.st_size > ENTRY_SIZE_MAX) {
380 log_error("File passed too large. Ignoring.");
381 return;
382 }
383
384 if (sealed) {
385 void *p;
386 size_t ps;
387
388 /* The file is sealed, we can just map it and use it. */
389
390 ps = PAGE_ALIGN(st.st_size);
391 p = mmap(NULL, ps, PROT_READ, MAP_PRIVATE, fd, 0);
392 if (p == MAP_FAILED) {
393 log_error_errno(errno, "Failed to map memfd, ignoring: %m");
394 return;
395 }
396
397 server_process_native_message(s, p, st.st_size, ucred, tv, label, label_len);
398 assert_se(munmap(p, ps) >= 0);
399 } else {
400 _cleanup_free_ void *p = NULL;
401 struct statvfs vfs;
402 ssize_t n;
403
404 if (fstatvfs(fd, &vfs) < 0) {
405 log_error_errno(errno, "Failed to stat file system of passed file, ignoring: %m");
406 return;
407 }
408
409 /* Refuse operating on file systems that have
410 * mandatory locking enabled, see:
411 *
412 * https://github.com/systemd/systemd/issues/1822
413 */
414 if (vfs.f_flag & ST_MANDLOCK) {
415 log_error("Received file descriptor from file system with mandatory locking enable, refusing.");
416 return;
417 }
418
419 /* Make the fd non-blocking. On regular files this has
420 * the effect of bypassing mandatory locking. Of
421 * course, this should normally not be necessary given
422 * the check above, but let's better be safe than
423 * sorry, after all NFS is pretty confusing regarding
424 * file system flags, and we better don't trust it,
425 * and so is SMB. */
426 r = fd_nonblock(fd, true);
427 if (r < 0) {
428 log_error_errno(r, "Failed to make fd non-blocking, ignoring: %m");
429 return;
430 }
431
432 /* The file is not sealed, we can't map the file here, since
433 * clients might then truncate it and trigger a SIGBUS for
434 * us. So let's stupidly read it */
435
436 p = malloc(st.st_size);
437 if (!p) {
438 log_oom();
439 return;
440 }
441
442 n = pread(fd, p, st.st_size, 0);
443 if (n < 0)
444 log_error_errno(errno, "Failed to read file, ignoring: %m");
445 else if (n > 0)
446 server_process_native_message(s, p, n, ucred, tv, label, label_len);
447 }
448 }
449
450 int server_open_native_socket(Server*s) {
451 static const int one = 1;
452 int r;
453
454 assert(s);
455
456 if (s->native_fd < 0) {
457 union sockaddr_union sa = {
458 .un.sun_family = AF_UNIX,
459 .un.sun_path = "/run/systemd/journal/socket",
460 };
461
462 s->native_fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
463 if (s->native_fd < 0)
464 return log_error_errno(errno, "socket() failed: %m");
465
466 unlink(sa.un.sun_path);
467
468 r = bind(s->native_fd, &sa.sa, offsetof(union sockaddr_union, un.sun_path) + strlen(sa.un.sun_path));
469 if (r < 0)
470 return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);
471
472 (void) chmod(sa.un.sun_path, 0666);
473 } else
474 fd_nonblock(s->native_fd, 1);
475
476 r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
477 if (r < 0)
478 return log_error_errno(errno, "SO_PASSCRED failed: %m");
479
480 #ifdef HAVE_SELINUX
481 if (mac_selinux_have()) {
482 r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
483 if (r < 0)
484 log_warning_errno(errno, "SO_PASSSEC failed: %m");
485 }
486 #endif
487
488 r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
489 if (r < 0)
490 return log_error_errno(errno, "SO_TIMESTAMP failed: %m");
491
492 r = sd_event_add_io(s->event, &s->native_event_source, s->native_fd, EPOLLIN, server_process_datagram, s);
493 if (r < 0)
494 return log_error_errno(r, "Failed to add native server fd to event loop: %m");
495
496 r = sd_event_source_set_priority(s->native_event_source, SD_EVENT_PRIORITY_NORMAL+5);
497 if (r < 0)
498 return log_error_errno(r, "Failed to adjust native event source priority: %m");
499
500 return 0;
501 }
systemd for Proxmox projects