diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-06-23 20:42:57 +0200 |
---|---|---|
committer | Daniel Mack <daniel@zonque.org> | 2015-07-08 13:53:15 -0400 |
commit | f6f7a9848e27fbc1748aec9264e58a2aeaf736db (patch) | |
tree | 722a81df34f4f6c34b3b34b4bd4cb7d31c3b081f /man | |
parent | 9d3e5d11bee9ab29a479e534622bb1b23daf9fab (diff) |
man: fully document sd_bus_creds subsystem
[@zonque: typo fixed, reported by @ronnychevalier]
Diffstat (limited to 'man')
-rw-r--r-- | man/sd_bus_creds_get_pid.xml | 59 | ||||
-rw-r--r-- | man/sd_bus_creds_new_from_pid.xml | 150 |
2 files changed, 144 insertions, 65 deletions
diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml index 13f885cd5d..4162fab065 100644 --- a/man/sd_bus_creds_get_pid.xml +++ b/man/sd_bus_creds_get_pid.xml @@ -61,8 +61,9 @@ <refname>sd_bus_creds_get_cmdline</refname> <refname>sd_bus_creds_get_cgroup</refname> <refname>sd_bus_creds_get_unit</refname> - <refname>sd_bus_creds_get_user_unit</refname> <refname>sd_bus_creds_get_slice</refname> + <refname>sd_bus_creds_get_user_unit</refname> + <refname>sd_bus_creds_get_user_slice</refname> <refname>sd_bus_creds_get_session</refname> <refname>sd_bus_creds_get_owner_uid</refname> <refname>sd_bus_creds_has_effective_cap</refname> @@ -193,13 +194,19 @@ </funcprototype> <funcprototype> + <funcdef>int <function>sd_bus_creds_get_slice</function></funcdef> + <paramdef>sd_bus_creds *<parameter>c</parameter></paramdef> + <paramdef>const char **<parameter>slice</parameter></paramdef> + </funcprototype> + + <funcprototype> <funcdef>int <function>sd_bus_creds_get_user_unit</function></funcdef> <paramdef>sd_bus_creds *<parameter>c</parameter></paramdef> <paramdef>const char **<parameter>unit</parameter></paramdef> </funcprototype> <funcprototype> - <funcdef>int <function>sd_bus_creds_get_slice</function></funcdef> + <funcdef>int <function>sd_bus_creds_get_user_slice</function></funcdef> <paramdef>sd_bus_creds *<parameter>c</parameter></paramdef> <paramdef>const char **<parameter>slice</parameter></paramdef> </funcprototype> @@ -288,9 +295,9 @@ <refsect1> <title>Description</title> - <para>These functions return information from an - <parameter>sd_bus_creds</parameter> credential object. Credential - objects may be created with + <para>These functions return credential information from an + <parameter>sd_bus_creds</parameter> object. Credential objects may + be created with <citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>, in which case they describe the credentials of the process identified by the specified PID, with @@ -301,7 +308,13 @@ in which case they describe the credentials of the creator of a bus, or with <citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - in which case they describe the credentials of the sender of the message.</para> + in which case they describe the credentials of the sender of the + message.</para> + + <para>Not all credential fields are part of every + <literal>sd_bus_creds</literal> object. Use + <citerefentry><refentrytitle>sd_bus_creds_get_mask</refentrytitle><manvolnum>3</manvolnum></citerefentry> + to determine the mask of fields available.</para> <para><function>sd_bus_creds_get_pid()</function> will retrieve the PID (process identifier). Similar, @@ -374,19 +387,22 @@ <para><function>sd_bus_creds_get_slice()</function> will retrieve the systemd slice (a unit in the system instance of systemd) that the process is part of. See - <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Similar, + <function>sd_bus_creds_get_user_slice()</function> retrieves the + systemd slice of the process, in the user instance of systemd. </para> <para><function>sd_bus_creds_get_session()</function> will - retrieve the logind session that the process is part of. See + retrieve the identifier of the login session that the process is + part of. See <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. For processes that are not part of a session returns -ENXIO. </para> <para><function>sd_bus_creds_get_owner_uid()</function> will retrieve the numeric UID (user identifier) of the user who owns - the session that the process is part of. See - <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry> + the login session that the process is part of. See + <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. For processes that are not part of a session returns -ENXIO. </para> @@ -395,7 +411,7 @@ <parameter>capability</parameter> was set in the effective capabilities mask. A positive return value means that is was set, zero means that it was not set, and a negative return - value signifies an error. See + value indicates an error. See <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> and <varname>Capabilities=</varname> and <varname>CapabilityBoundingSet=</varname> settings in @@ -427,8 +443,8 @@ processes that are not part of an audit session.</para> <para><function>sd_bus_creds_get_tty()</function> will retrieve - the controlling TTY. Returns -ENXIO for processes that have no - controlling TTY.</para> + the controlling TTY, without the prefixing "/dev/". Returns -ENXIO + for processes that have no controlling TTY.</para> <para><function>sd_bus_creds_get_unique_name()</function> will retrieve the D-Bus unique name. See <ulink @@ -489,8 +505,9 @@ <listitem><para>Given field is not specified for the described process or peer. This will be returned by <function>sd_bus_get_unit()</function>, - <function>sd_bus_get_user_unit()</function>, <function>sd_bus_get_slice()</function>, + <function>sd_bus_get_user_unit()</function>, + <function>sd_bus_get_user_slice()</function>, <function>sd_bus_get_session()</function>, and <function>sd_bus_get_owner_uid()</function> if the process is not part of a systemd system unit, systemd user unit, systemd @@ -526,10 +543,11 @@ <refsect1> <title>Notes</title> - <para><function>sd_bus_open_user()</function> and other functions - described here are available as a shared library, which can be - compiled and linked to with the - <constant>libsystemd</constant> <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry> + <para><function>sd_bus_creds_get_pid()</function> and the other + functions described here are available as a shared library, which + can be compiled and linked to with the + <constant>libsystemd</constant> <citerefentry + project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry> file.</para> </refsect1> @@ -539,8 +557,9 @@ <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry>, - <citerefentry><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>credentials</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>free</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>, diff --git a/man/sd_bus_creds_new_from_pid.xml b/man/sd_bus_creds_new_from_pid.xml index 8c054a5905..a78d3f5717 100644 --- a/man/sd_bus_creds_new_from_pid.xml +++ b/man/sd_bus_creds_new_from_pid.xml @@ -45,6 +45,7 @@ <refnamediv> <refname>sd_bus_creds_new_from_pid</refname> <refname>sd_bus_creds_get_mask</refname> + <refname>sd_bus_creds_get_augmented_mask</refname> <refname>sd_bus_creds_ref</refname> <refname>sd_bus_creds_unref</refname> @@ -68,6 +69,11 @@ </funcprototype> <funcprototype> + <funcdef>uint64_t <function>sd_bus_creds_get_augmented_mask</function></funcdef> + <paramdef>const sd_bus_creds *<parameter>c</parameter></paramdef> + </funcprototype> + + <funcprototype> <funcdef>sd_bus_creds *<function>sd_bus_creds_ref</function></funcdef> <paramdef>sd_bus_creds *<parameter>c</parameter></paramdef> </funcprototype> @@ -80,17 +86,26 @@ <para> <constant>SD_BUS_CREDS_PID</constant>, + <constant>SD_BUS_CREDS_PPID</constant>, <constant>SD_BUS_CREDS_TID</constant>, <constant>SD_BUS_CREDS_UID</constant>, + <constant>SD_BUS_CREDS_EUID</constant>, + <constant>SD_BUS_CREDS_SUID</constant>, + <constant>SD_BUS_CREDS_FSUID</constant>, <constant>SD_BUS_CREDS_GID</constant>, + <constant>SD_BUS_CREDS_EGID</constant>, + <constant>SD_BUS_CREDS_SGID</constant>, + <constant>SD_BUS_CREDS_FSGID</constant>, + <constant>SD_BUS_CREDS_SUPPLEMENTARY_GIDS</constant>, <constant>SD_BUS_CREDS_COMM</constant>, <constant>SD_BUS_CREDS_TID_COMM</constant>, <constant>SD_BUS_CREDS_EXE</constant>, <constant>SD_BUS_CREDS_CMDLINE</constant>, <constant>SD_BUS_CREDS_CGROUP</constant>, <constant>SD_BUS_CREDS_UNIT</constant>, - <constant>SD_BUS_CREDS_USER_UNIT</constant>, <constant>SD_BUS_CREDS_SLICE</constant>, + <constant>SD_BUS_CREDS_USER_UNIT</constant>, + <constant>SD_BUS_CREDS_USER_SLICE</constant>, <constant>SD_BUS_CREDS_SESSION</constant>, <constant>SD_BUS_CREDS_OWNER_UID</constant>, <constant>SD_BUS_CREDS_EFFECTIVE_CAPS</constant>, @@ -100,8 +115,11 @@ <constant>SD_BUS_CREDS_SELINUX_CONTEXT</constant>, <constant>SD_BUS_CREDS_AUDIT_SESSION_ID</constant>, <constant>SD_BUS_CREDS_AUDIT_LOGIN_UID</constant>, + <constant>SD_BUS_CREDS_TTY</constant>, <constant>SD_BUS_CREDS_UNIQUE_NAME</constant>, <constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant>, + <constant>SD_BUS_CREDS_DESCRIPTION</constant>, + <constant>SD_BUS_CREDS_AUGMENT</constant>, <constant>_SD_BUS_CREDS_ALL</constant> </para> </refsynopsisdiv> @@ -109,25 +127,39 @@ <refsect1> <title>Description</title> - <para><function>sd_bus_creds_new_from_pid()</function> creates a new - credentials object and fills it with information about the process - <parameter>pid</parameter>. This pointer to this object will - be stored in <parameter>ret</parameter> pointer.</para> + <para><function>sd_bus_creds_new_from_pid()</function> creates a + new credentials object and fills it with information about the + process <parameter>pid</parameter>. The pointer to this object + will be stored in <parameter>ret</parameter> pointer. Note that + credential objects may also be created and retrieved via + <citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>, + <citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para> <para>The information that will be stored is determined by <parameter>creds_mask</parameter>. It may contain a subset of ORed constants <constant>SD_BUS_CREDS_PID</constant>, + <constant>SD_BUS_CREDS_PPID</constant>, <constant>SD_BUS_CREDS_TID</constant>, <constant>SD_BUS_CREDS_UID</constant>, + <constant>SD_BUS_CREDS_EUID</constant>, + <constant>SD_BUS_CREDS_SUID</constant>, + <constant>SD_BUS_CREDS_FSUID</constant>, <constant>SD_BUS_CREDS_GID</constant>, + <constant>SD_BUS_CREDS_EGID</constant>, + <constant>SD_BUS_CREDS_SGID</constant>, + <constant>SD_BUS_CREDS_FSGID</constant>, + <constant>SD_BUS_CREDS_SUPPLEMENTARY_GIDS</constant>, <constant>SD_BUS_CREDS_COMM</constant>, <constant>SD_BUS_CREDS_TID_COMM</constant>, <constant>SD_BUS_CREDS_EXE</constant>, <constant>SD_BUS_CREDS_CMDLINE</constant>, <constant>SD_BUS_CREDS_CGROUP</constant>, <constant>SD_BUS_CREDS_UNIT</constant>, - <constant>SD_BUS_CREDS_USER_UNIT</constant>, <constant>SD_BUS_CREDS_SLICE</constant>, + <constant>SD_BUS_CREDS_USER_UNIT</constant>, + <constant>SD_BUS_CREDS_USER_SLICE</constant>, <constant>SD_BUS_CREDS_SESSION</constant>, <constant>SD_BUS_CREDS_OWNER_UID</constant>, <constant>SD_BUS_CREDS_EFFECTIVE_CAPS</constant>, @@ -137,34 +169,71 @@ <constant>SD_BUS_CREDS_SELINUX_CONTEXT</constant>, <constant>SD_BUS_CREDS_AUDIT_SESSION_ID</constant>, <constant>SD_BUS_CREDS_AUDIT_LOGIN_UID</constant>, + <constant>SD_BUS_CREDS_TTY</constant>, <constant>SD_BUS_CREDS_UNIQUE_NAME</constant>, <constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant>, - or <constant>_SD_BUS_CREDS_ALL</constant> to indicate - all known fields.</para> + <constant>SD_BUS_CREDS_DESCRIPTION</constant>. Use the special + value <constant>_SD_BUS_CREDS_ALL</constant> to request all + supported fields. The <constant>SD_BUS_CREDS_AUGMENT</constant> + may not be ORed into the mask for invocations of + <function>sd_bus_creds_new_from_pid()</function>.</para> <para>Fields can be retrieved from the credentials object using <citerefentry><refentrytitle>sd_bus_creds_get_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry> and other functions which correspond directly to the constants listed above.</para> - <para>A mask of fields which were actually successfully set - (acquired from <filename>/proc</filename>, etc.) can be retrieved - with <function>sd_bus_creds_get_mask()</function>. If the - credentials object was created with + <para>A mask of fields which were actually successfully retrieved + can be retrieved with + <function>sd_bus_creds_get_mask()</function>. If the credentials + object was created with <function>sd_bus_creds_new_from_pid()</function>, this will be a subset of fields requested in <parameter>creds_mask</parameter>. </para> - <para><function>sd_bus_creds_ref</function> creates a new + <para>Similar to <function>sd_bus_creds_get_mask()</function> the + function <function>sd_bus_creds_get_augmented_mask()</function> + returns a bitmask of field constants. The mask indicates which + credential fields have been retrieved in a non-atomic fashion. For + credential objects created via + <function>sd_bus_creds_new_from_pid()</function> this mask will be + identical to the mask returned by + <function>sd_bus_creds_get_mask()</function>. However, for + credential objects retrieved via + <function>sd_bus_get_name_creds()</function> this mask will be set + for the credential fields that could not be determined atomically + at peer connection time, and which were later added by reading + augmenting credential data from + <filename>/proc</filename>. Similar, for credential objects + retrieved via <function>sd_bus_get_owner_creds()</function> the + mask is set for the fields that could not be determined atomically + at bus creation time, but have been augmented. Similar, for + credential objects retrieved via + <function>sd_bus_message_get_creds()</function> the mask is set + for the fields that could not be determined atomically at message + send time, but have been augmented. The mask returned by + <function>sd_bus_creds_get_augmented_mask()</function> is always a + subset of (or identical to) the mask returned by + <function>sd_bus_creds_get_mask()</function> for the same + object. The latter call hence returns all credential fields + available in the credential object, the former then marks the + subset of those that have been augmented. Note that augmented + fields are unsuitable for authorization decisions as they may be + retrieved at different times, thus being subject to races. Hence + augmented fields should be used exclusively for informational + purposes. + </para> + + <para><function>sd_bus_creds_ref()</function> creates a new reference to the credentials object <parameter>c</parameter>. This object will not be destroyed until - <function>sd_bus_creds_unref</function> has been called as many + <function>sd_bus_creds_unref()</function> has been called as many times plus once more. Once the reference count has dropped to zero, <parameter>c</parameter> cannot be used anymore, so further calls to <function>sd_bus_creds_ref(c)</function> or <function>sd_bus_creds_unref(c)</function> are illegal.</para> - <para><function>sd_bus_creds_unref</function> destroys a reference + <para><function>sd_bus_creds_unref()</function> destroys a reference to <parameter>c</parameter>.</para> </refsect1> @@ -178,10 +247,15 @@ <para><function>sd_bus_creds_get_mask()</function> returns the mask of successfully acquired fields.</para> - <para><function>sd_bus_creds_ref</function> always returns the + <para><function>sd_bus_creds_get_augmented_mask()</function> + returns the mask of fields that have been augmented from data in + <filename>/proc</filename>, and are thus not suitable for + authorization decisions.</para> + + <para><function>sd_bus_creds_ref()</function> always returns the argument.</para> - <para><function>sd_bus_creds_unref</function> always returns + <para><function>sd_bus_creds_unref()</function> always returns <constant>NULL</constant>.</para> </refsect1> @@ -222,16 +296,23 @@ <listitem><para>Memory allocation failed.</para></listitem> </varlistentry> + + <varlistentry> + <term><constant>-EOPNOTSUPP</constant></term> + + <listitem><para>One of the requested fields is unknown to the local system.</para></listitem> + </varlistentry> </variablelist> </refsect1> <refsect1> <title>Notes</title> - <para><function>sd_bus_creds_new_from_pid()</function> is - available as a shared library, which can be compiled and linked to - with the - <constant>libsystemd</constant> <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry> + <para><function>sd_bus_creds_new_from_pid()</function> and the + other calls described here are available as a shared library, + which can be compiled and linked to with the + <constant>libsystemd</constant> <citerefentry + project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry> file.</para> </refsect1> @@ -241,31 +322,10 @@ <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_ref</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry><refentrytitle>sd_bus_creds_get_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_tid</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_gid</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_comm</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_tid_comm</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_exe</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_cmdline</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_cgroup</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_unit</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_user_unit</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_slice</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_session</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_has_effective_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_has_permitted_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_has_inheritable_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_has_bounding_cap</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_selinux_context</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_audit_session_id</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_audit_login_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_unique_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>, - <citerefentry><refentrytitle>sd_bus_creds_get_well_known_names</refentrytitle><manvolnum>3</manvolnum></citerefentry> + <citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>, + <citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>, + <citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry> </para> </refsect1> |