summaryrefslogtreecommitdiff
path: root/src/shared/audit.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-11-28 17:50:02 +0100
committerLennart Poettering <lennart@poettering.net>2013-11-28 18:42:18 +0100
commit5b12334d35eadf1f45cc3d631fd1a2e72ffaea0a (patch)
tree55682fbecfeb705adfaf0f78fd76f5c8dc219b1b /src/shared/audit.c
parent70f75a523b16ad495a7791d595ee3eececf75953 (diff)
bus: add new sd_bus_creds object to encapsulate process credentials
This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.
Diffstat (limited to 'src/shared/audit.c')
-rw-r--r--src/shared/audit.c57
1 files changed, 14 insertions, 43 deletions
diff --git a/src/shared/audit.c b/src/shared/audit.c
index 97560cc9a3..9ab46408da 100644
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -26,8 +26,6 @@
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
-#include <sys/prctl.h>
-#include <sys/capability.h>
#include "macro.h"
#include "audit.h"
@@ -37,91 +35,64 @@
#include "virt.h"
int audit_session_from_pid(pid_t pid, uint32_t *id) {
- char *s;
+ _cleanup_free_ char *s = NULL;
+ const char *p;
uint32_t u;
int r;
assert(id);
- if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
- return -ENOENT;
-
/* Audit doesn't support containers right now */
if (detect_container(NULL) > 0)
return -ENOTSUP;
if (pid == 0)
- r = read_one_line_file("/proc/self/sessionid", &s);
- else {
- char *p;
-
- if (asprintf(&p, "/proc/%lu/sessionid", (unsigned long) pid) < 0)
- return -ENOMEM;
-
- r = read_one_line_file(p, &s);
- free(p);
- }
+ p = "/proc/self/sessionid";
+ else
+ p = procfs_file_alloca(pid, "sessionid");
+ r = read_one_line_file(p, &s);
if (r < 0)
return r;
r = safe_atou32(s, &u);
- free(s);
-
if (r < 0)
return r;
if (u == (uint32_t) -1 || u <= 0)
- return -ENOENT;
+ return -ENXIO;
*id = u;
return 0;
}
int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
- char *s;
+ _cleanup_free_ char *s = NULL;
+ const char *p;
uid_t u;
int r;
assert(uid);
- /* Only use audit login uid if we are executed with sufficient
- * capabilities so that pam_loginuid could do its job. If we
- * are lacking the CAP_AUDIT_CONTROL capabality we most likely
- * are being run in a container and /proc/self/loginuid is
- * useless since it probably contains a uid of the host
- * system. */
-
- if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
- return -ENOENT;
-
/* Audit doesn't support containers right now */
if (detect_container(NULL) > 0)
return -ENOTSUP;
if (pid == 0)
- r = read_one_line_file("/proc/self/loginuid", &s);
- else {
- char *p;
-
- if (asprintf(&p, "/proc/%lu/loginuid", (unsigned long) pid) < 0)
- return -ENOMEM;
-
- r = read_one_line_file(p, &s);
- free(p);
- }
+ p = "/proc/self/loginuid";
+ else
+ p = procfs_file_alloca(pid, "loginuid");
+ r = read_one_line_file(p, &s);
if (r < 0)
return r;
r = parse_uid(s, &u);
- free(s);
-
if (r < 0)
return r;
if (u == (uid_t) -1)
- return -ENOENT;
+ return -ENXIO;
*uid = (uid_t) u;
return 0;