summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2012-03-13 00:00:27 +0100
committerLennart Poettering <lennart@poettering.net>2012-03-13 00:00:27 +0100
commit54ecda32c60c6f2548f74703bfd324694393edaa (patch)
treed9747c30a1985b3b95497450ca1c2678a9079d08
parentfa734f4da837abe6c893e75c95be78527db72c0f (diff)
socket: add option for SO_PASSEC
https://bugzilla.redhat.com/show_bug.cgi?id=798760 (Note that this work is not complete yet, as the kernel seems to send us useless data with SCM_SECURITY enabled)
-rw-r--r--TODO2
-rw-r--r--man/systemd.socket.xml13
-rw-r--r--src/dbus-socket.c2
-rw-r--r--src/journal/journald.c10
-rw-r--r--src/load-fragment-gperf.gperf.m41
-rw-r--r--src/missing.h4
-rw-r--r--src/socket.c8
-rw-r--r--src/socket.h1
-rw-r--r--units/syslog.socket1
-rw-r--r--units/systemd-journald.socket1
-rw-r--r--units/systemd-shutdownd.socket1
11 files changed, 43 insertions, 1 deletions
diff --git a/TODO b/TODO
index 81aaabcc23..96ae6355d8 100644
--- a/TODO
+++ b/TODO
@@ -18,6 +18,8 @@ Bugfixes:
Features:
+* journal: extend sd-journal.h logging calls to implicitly log function names/line numbers/...
+
* document crypttab(5)
* There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index ef5b28c771..d9921e496d 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -528,7 +528,7 @@
<term><varname>PassCredentials=</varname></term>
<listitem><para>Takes a boolean
value. This controls the SO_PASSCRED
- socket option, which allows UNIX sockets to
+ socket option, which allows AF_UNIX sockets to
receive the credentials of the sending
process in an ancillary message.
Defaults to
@@ -536,6 +536,17 @@
</varlistentry>
<varlistentry>
+ <term><varname>PassSecurity=</varname></term>
+ <listitem><para>Takes a boolean
+ value. This controls the SO_PASSSEC
+ socket option, which allows AF_UNIX
+ sockets to receive the security
+ context of the sending process in an
+ ancillary message. Defaults to
+ <option>false</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>TCPCongestion=</varname></term>
<listitem><para>Takes a string
value. Controls the TCP congestion
diff --git a/src/dbus-socket.c b/src/dbus-socket.c
index 9fef6769f0..2e3342cb55 100644
--- a/src/dbus-socket.c
+++ b/src/dbus-socket.c
@@ -52,6 +52,7 @@
" <property name=\"Transparent\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Broadcast\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"PassCredentials\" type=\"b\" access=\"read\"/>\n" \
+ " <property name=\"PassSecurity\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \
" <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
" <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
@@ -114,6 +115,7 @@ static const BusProperty bus_socket_properties[] = {
{ "Transparent", bus_property_append_bool, "b", offsetof(Socket, transparent) },
{ "Broadcast", bus_property_append_bool, "b", offsetof(Socket, broadcast) },
{ "PassCredentials",bus_property_append_bool, "b", offsetof(Socket, pass_cred) },
+ { "PassSecurity", bus_property_append_bool, "b", offsetof(Socket, pass_sec) },
{ "Mark", bus_property_append_int, "i", offsetof(Socket, mark) },
{ "MaxConnections", bus_property_append_unsigned, "u", offsetof(Socket, max_connections) },
{ "NConnections", bus_property_append_unsigned, "u", offsetof(Socket, n_connections) },
diff --git a/src/journal/journald.c b/src/journal/journald.c
index 73f8ed6ae8..375f5aa6ca 100644
--- a/src/journal/journald.c
+++ b/src/journal/journald.c
@@ -2253,6 +2253,11 @@ static int open_syslog_socket(Server *s) {
}
one = 1;
+ r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+ if (r < 0)
+ log_warning("SO_PASSSEC failed: %m");
+
+ one = 1;
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
if (r < 0) {
log_error("SO_TIMESTAMP failed: %m");
@@ -2309,6 +2314,11 @@ static int open_native_socket(Server*s) {
}
one = 1;
+ r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+ if (r < 0)
+ log_warning("SO_PASSSEC failed: %m");
+
+ one = 1;
r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
if (r < 0) {
log_error("SO_TIMESTAMP failed: %m");
diff --git a/src/load-fragment-gperf.gperf.m4 b/src/load-fragment-gperf.gperf.m4
index 44ce4bbbc4..4b02e3157e 100644
--- a/src/load-fragment-gperf.gperf.m4
+++ b/src/load-fragment-gperf.gperf.m4
@@ -186,6 +186,7 @@ Socket.FreeBind, config_parse_bool, 0,
Socket.Transparent, config_parse_bool, 0, offsetof(Socket, transparent)
Socket.Broadcast, config_parse_bool, 0, offsetof(Socket, broadcast)
Socket.PassCredentials, config_parse_bool, 0, offsetof(Socket, pass_cred)
+Socket.PassSecurity, config_parse_bool, 0, offsetof(Socket, pass_sec)
Socket.TCPCongestion, config_parse_string, 0, offsetof(Socket, tcp_congestion)
Socket.MessageQueueMaxMessages, config_parse_long, 0, offsetof(Socket, mq_maxmsg)
Socket.MessageQueueMessageSize, config_parse_long, 0, offsetof(Socket, mq_msgsize)
diff --git a/src/missing.h b/src/missing.h
index 213ef2f6a6..095bf1fe04 100644
--- a/src/missing.h
+++ b/src/missing.h
@@ -180,4 +180,8 @@ static inline pid_t gettid(void) {
return (pid_t) syscall(SYS_gettid);
}
+#ifndef SCM_SECURITY
+#define SCM_SECURITY 0x03
+#endif
+
#endif
diff --git a/src/socket.c b/src/socket.c
index aeedcbd7f3..ecaf3d2148 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -417,6 +417,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sTransparent: %s\n"
"%sBroadcast: %s\n"
"%sPassCredentials: %s\n"
+ "%sPassSecurity: %s\n"
"%sTCPCongestion: %s\n",
prefix, socket_state_to_string(s->state),
prefix, socket_result_to_string(s->result),
@@ -429,6 +430,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
prefix, yes_no(s->transparent),
prefix, yes_no(s->broadcast),
prefix, yes_no(s->pass_cred),
+ prefix, yes_no(s->pass_sec),
prefix, strna(s->tcp_congestion));
if (s->control_pid > 0)
@@ -676,6 +678,12 @@ static void socket_apply_socket_options(Socket *s, int fd) {
log_warning("SO_PASSCRED failed: %m");
}
+ if (s->pass_sec) {
+ int one = 1;
+ if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
+ log_warning("SO_PASSSEC failed: %m");
+ }
+
if (s->priority >= 0)
if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
log_warning("SO_PRIORITY failed: %m");
diff --git a/src/socket.h b/src/socket.h
index 6f2af7cd61..6470d8b63e 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -129,6 +129,7 @@ struct Socket {
bool transparent;
bool broadcast;
bool pass_cred;
+ bool pass_sec;
int priority;
int mark;
size_t receive_buffer;
diff --git a/units/syslog.socket b/units/syslog.socket
index 1c54857762..0e211e16e7 100644
--- a/units/syslog.socket
+++ b/units/syslog.socket
@@ -21,6 +21,7 @@ Wants=syslog.target
ListenDatagram=/run/systemd/journal/syslog
SocketMode=0666
PassCredentials=yes
+PassSecurity=yes
ReceiveBuffer=8M
# The default syslog implementation should make syslog.service a
diff --git a/units/systemd-journald.socket b/units/systemd-journald.socket
index c752505d9f..15fc49ef29 100644
--- a/units/systemd-journald.socket
+++ b/units/systemd-journald.socket
@@ -23,4 +23,5 @@ ListenDatagram=/run/systemd/journal/socket
ListenDatagram=/dev/log
SocketMode=0666
PassCredentials=yes
+PassSecurity=yes
ReceiveBuffer=8M
diff --git a/units/systemd-shutdownd.socket b/units/systemd-shutdownd.socket
index 532a6f0c73..7f13c9386e 100644
--- a/units/systemd-shutdownd.socket
+++ b/units/systemd-shutdownd.socket
@@ -16,3 +16,4 @@ Before=sockets.target
ListenDatagram=/run/systemd/shutdownd
SocketMode=0600
PassCredentials=yes
+PassSecurity=yes