/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2011 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see .
***/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include "log.h"
#include "util.h"
#include "path-util.h"
#include "build.h"
#include "pager.h"
#include "logs-show.h"
#include "strv.h"
#include "journal-internal.h"
#include "journal-def.h"
#include "journal-verify.h"
#include "journal-authenticate.h"
#include "fsprg.h"
#define DEFAULT_FSPRG_INTERVAL_USEC (15*USEC_PER_MINUTE)
static OutputMode arg_output = OUTPUT_SHORT;
static bool arg_follow = false;
static bool arg_show_all = false;
static bool arg_no_pager = false;
static int arg_lines = -1;
static bool arg_no_tail = false;
static bool arg_quiet = false;
static bool arg_local = false;
static bool arg_this_boot = false;
static const char *arg_directory = NULL;
static int arg_priorities = 0xFF;
static const char *arg_verify_seed = NULL;
static usec_t arg_evolve = DEFAULT_FSPRG_INTERVAL_USEC;
static enum {
ACTION_SHOW,
ACTION_NEW_ID128,
ACTION_PRINT_HEADER,
ACTION_SETUP_KEYS,
ACTION_VERIFY
} arg_action = ACTION_SHOW;
static int help(void) {
printf("%s [OPTIONS...] [MATCH]\n\n"
"Send control commands to or query the journal.\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
" --no-pager Do not pipe output into a pager\n"
" -a --all Show all fields, including long and unprintable\n"
" -f --follow Follow journal\n"
" -n --lines=INTEGER Journal entries to show\n"
" --no-tail Show all lines, even in follow mode\n"
" -o --output=STRING Change journal output mode (short, short-monotonic,\n"
" verbose, export, json, cat)\n"
" -q --quiet Don't show privilege warning\n"
" -l --local Only local entries\n"
" -b --this-boot Show data only from current boot\n"
" -D --directory=PATH Show journal files from directory\n"
" -p --priority=RANGE Show only messages within the specified priority range\n\n"
"Commands:\n"
" --new-id128 Generate a new 128 Bit ID\n"
" --header Show journal header information\n"
" --verify Verify journal file consistency\n"
" --verify-seed=SEED Specify FSPRG seed for verification\n"
" --setup-keys Generate new FSPRG key and seed\n"
" --evolve=TIME How of to evolve FSPRG keys\n",
program_invocation_short_name);
return 0;
}
static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
ARG_NO_PAGER,
ARG_NO_TAIL,
ARG_NEW_ID128,
ARG_HEADER,
ARG_SETUP_KEYS,
ARG_VERIFY,
ARG_VERIFY_SEED,
ARG_EVOLVE
};
static const struct option options[] = {
{ "help", no_argument, NULL, 'h' },
{ "version" , no_argument, NULL, ARG_VERSION },
{ "no-pager", no_argument, NULL, ARG_NO_PAGER },
{ "follow", no_argument, NULL, 'f' },
{ "output", required_argument, NULL, 'o' },
{ "all", no_argument, NULL, 'a' },
{ "lines", required_argument, NULL, 'n' },
{ "no-tail", no_argument, NULL, ARG_NO_TAIL },
{ "new-id128", no_argument, NULL, ARG_NEW_ID128 },
{ "quiet", no_argument, NULL, 'q' },
{ "local", no_argument, NULL, 'l' },
{ "this-boot", no_argument, NULL, 'b' },
{ "directory", required_argument, NULL, 'D' },
{ "header", no_argument, NULL, ARG_HEADER },
{ "priority", no_argument, NULL, 'p' },
{ "setup-keys", no_argument, NULL, ARG_SETUP_KEYS },
{ "verify", no_argument, NULL, ARG_VERIFY },
{ "verify-seed", required_argument, NULL, ARG_VERIFY_SEED },
{ "evolve", required_argument, NULL, ARG_EVOLVE },
{ NULL, 0, NULL, 0 }
};
int c, r;
assert(argc >= 0);
assert(argv);
while ((c = getopt_long(argc, argv, "hfo:an:qlbD:p:", options, NULL)) >= 0) {
switch (c) {
case 'h':
help();
return 0;
case ARG_VERSION:
puts(PACKAGE_STRING);
puts(DISTRIBUTION);
puts(SYSTEMD_FEATURES);
return 0;
case ARG_NO_PAGER:
arg_no_pager = true;
break;
case 'f':
arg_follow = true;
break;
case 'o':
arg_output = output_mode_from_string(optarg);
if (arg_output < 0) {
log_error("Unknown output '%s'.", optarg);
return -EINVAL;
}
break;
case 'a':
arg_show_all = true;
break;
case 'n':
r = safe_atoi(optarg, &arg_lines);
if (r < 0 || arg_lines < 0) {
log_error("Failed to parse lines '%s'", optarg);
return -EINVAL;
}
break;
case ARG_NO_TAIL:
arg_no_tail = true;
break;
case ARG_NEW_ID128:
arg_action = ACTION_NEW_ID128;
break;
case 'q':
arg_quiet = true;
break;
case 'l':
arg_local = true;
break;
case 'b':
arg_this_boot = true;
break;
case 'D':
arg_directory = optarg;
break;
case ARG_HEADER:
arg_action = ACTION_PRINT_HEADER;
break;
case ARG_SETUP_KEYS:
arg_action = ACTION_SETUP_KEYS;
break;
case ARG_VERIFY:
arg_action = ACTION_VERIFY;
break;
case ARG_VERIFY_SEED:
arg_action = ACTION_VERIFY;
arg_verify_seed = optarg;
break;
case ARG_EVOLVE:
r = parse_usec(optarg, &arg_evolve);
if (r < 0 || arg_evolve <= 0) {
log_error("Failed to parse evolve interval: %s", optarg);
return -EINVAL;
}
break;
case 'p': {
const char *dots;
dots = strstr(optarg, "..");
if (dots) {
char *a;
int from, to, i;
/* a range */
a = strndup(optarg, dots - optarg);
if (!a)
return log_oom();
from = log_level_from_string(a);
to = log_level_from_string(dots + 2);
free(a);
if (from < 0 || to < 0) {
log_error("Failed to parse log level range %s", optarg);
return -EINVAL;
}
arg_priorities = 0;
if (from < to) {
for (i = from; i <= to; i++)
arg_priorities |= 1 << i;
} else {
for (i = to; i <= from; i++)
arg_priorities |= 1 << i;
}
} else {
int p, i;
p = log_level_from_string(optarg);
if (p < 0) {
log_error("Unknown log level %s", optarg);
return -EINVAL;
}
arg_priorities = 0;
for (i = 0; i <= p; i++)
arg_priorities |= 1 << i;
}
break;
}
case '?':
return -EINVAL;
default:
log_error("Unknown option code %c", c);
return -EINVAL;
}
}
if (arg_follow && !arg_no_tail && arg_lines < 0)
arg_lines = 10;
return 1;
}
static bool on_tty(void) {
static int t = -1;
/* Note that this is invoked relatively early, before we start
* the pager. That means the value we return reflects whether
* we originally were started on a tty, not if we currently
* are. But this is intended, since we want colour and so on
* when run in our own pager. */
if (_unlikely_(t < 0))
t = isatty(STDOUT_FILENO) > 0;
return t;
}
static int generate_new_id128(void) {
sd_id128_t id;
int r;
unsigned i;
r = sd_id128_randomize(&id);
if (r < 0) {
log_error("Failed to generate ID: %s", strerror(-r));
return r;
}
printf("As string:\n"
SD_ID128_FORMAT_STR "\n\n"
"As UUID:\n"
"%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x\n\n"
"As macro:\n"
"#define MESSAGE_XYZ SD_ID128_MAKE(",
SD_ID128_FORMAT_VAL(id),
SD_ID128_FORMAT_VAL(id));
for (i = 0; i < 16; i++)
printf("%02x%s", id.bytes[i], i != 15 ? "," : "");
fputs(")\n", stdout);
return 0;
}
static int add_matches(sd_journal *j, char **args) {
char **i;
int r;
assert(j);
STRV_FOREACH(i, args) {
if (streq(*i, "+"))
r = sd_journal_add_disjunction(j);
else if (path_is_absolute(*i)) {
char *p, *t = NULL;
const char *path;
struct stat st;
p = canonicalize_file_name(*i);
path = p ? p : *i;
if (stat(path, &st) < 0) {
free(p);
log_error("Couldn't stat file: %m");
return -errno;
}
if (S_ISREG(st.st_mode) && (0111 & st.st_mode))
t = strappend("_EXE=", path);
else if (S_ISCHR(st.st_mode))
asprintf(&t, "_KERNEL_DEVICE=c%u:%u", major(st.st_rdev), minor(st.st_rdev));
else if (S_ISBLK(st.st_mode))
asprintf(&t, "_KERNEL_DEVICE=b%u:%u", major(st.st_rdev), minor(st.st_rdev));
else {
free(p);
log_error("File is not a device node, regular file or is not executable: %s", *i);
return -EINVAL;
}
free(p);
if (!t)
return log_oom();
r = sd_journal_add_match(j, t, 0);
free(t);
} else
r = sd_journal_add_match(j, *i, 0);
if (r < 0) {
log_error("Failed to add match '%s': %s", *i, strerror(-r));
return r;
}
}
return 0;
}
static int add_this_boot(sd_journal *j) {
char match[9+32+1] = "_BOOT_ID=";
sd_id128_t boot_id;
int r;
assert(j);
if (!arg_this_boot)
return 0;
r = sd_id128_get_boot(&boot_id);
if (r < 0) {
log_error("Failed to get boot id: %s", strerror(-r));
return r;
}
sd_id128_to_string(boot_id, match + 9);
r = sd_journal_add_match(j, match, strlen(match));
if (r < 0) {
log_error("Failed to add match: %s", strerror(-r));
return r;
}
return 0;
}
static int add_priorities(sd_journal *j) {
char match[] = "PRIORITY=0";
int i, r;
assert(j);
if (arg_priorities == 0xFF)
return 0;
for (i = LOG_EMERG; i <= LOG_DEBUG; i++)
if (arg_priorities & (1 << i)) {
match[sizeof(match)-2] = '0' + i;
log_info("adding match %s", match);
r = sd_journal_add_match(j, match, strlen(match));
if (r < 0) {
log_error("Failed to add match: %s", strerror(-r));
return r;
}
}
return 0;
}
static int setup_keys(void) {
#ifdef HAVE_GCRYPT
size_t mpk_size, seed_size, state_size, i;
uint8_t *mpk, *seed, *state;
ssize_t l;
int fd = -1, r;
sd_id128_t machine, boot;
char *p = NULL, *k = NULL;
struct FSPRGHeader h;
uint64_t n;
r = sd_id128_get_machine(&machine);
if (r < 0) {
log_error("Failed to get machine ID: %s", strerror(-r));
return r;
}
r = sd_id128_get_boot(&boot);
if (r < 0) {
log_error("Failed to get boot ID: %s", strerror(-r));
return r;
}
if (asprintf(&p, "/var/log/journal/" SD_ID128_FORMAT_STR "/fsprg",
SD_ID128_FORMAT_VAL(machine)) < 0)
return log_oom();
if (access(p, F_OK) >= 0) {
log_error("Evolving key file %s exists already.", p);
r = -EEXIST;
goto finish;
}
if (asprintf(&k, "/var/log/journal/" SD_ID128_FORMAT_STR "/fsprg.tmp.XXXXXX",
SD_ID128_FORMAT_VAL(machine)) < 0) {
r = log_oom();
goto finish;
}
mpk_size = FSPRG_mskinbytes(FSPRG_RECOMMENDED_SECPAR);
mpk = alloca(mpk_size);
seed_size = FSPRG_RECOMMENDED_SEEDLEN;
seed = alloca(seed_size);
state_size = FSPRG_stateinbytes(FSPRG_RECOMMENDED_SECPAR);
state = alloca(state_size);
fd = open("/dev/random", O_RDONLY|O_CLOEXEC|O_NOCTTY);
if (fd < 0) {
log_error("Failed to open /dev/random: %m");
r = -errno;
goto finish;
}
log_info("Generating seed...");
l = loop_read(fd, seed, seed_size, true);
if (l < 0 || (size_t) l != seed_size) {
log_error("Failed to read random seed: %s", strerror(EIO));
r = -EIO;
goto finish;
}
log_info("Generating key pair...");
FSPRG_GenMK(NULL, mpk, seed, seed_size, FSPRG_RECOMMENDED_SECPAR);
log_info("Generating evolving key...");
FSPRG_GenState0(state, mpk, seed, seed_size);
n = now(CLOCK_REALTIME);
n /= arg_evolve;
close_nointr_nofail(fd);
fd = mkostemp(k, O_WRONLY|O_CLOEXEC|O_NOCTTY);
if (fd < 0) {
log_error("Failed to open %s: %m", k);
r = -errno;
goto finish;
}
zero(h);
memcpy(h.signature, "KSHHRHLP", 8);
h.machine_id = machine;
h.boot_id = boot;
h.header_size = htole64(sizeof(h));
h.fsprg_start_usec = htole64(n * arg_evolve);
h.fsprg_interval_usec = htole64(arg_evolve);
h.secpar = htole16(FSPRG_RECOMMENDED_SECPAR);
h.state_size = htole64(state_size);
l = loop_write(fd, &h, sizeof(h), false);
if (l < 0 || (size_t) l != sizeof(h)) {
log_error("Failed to write header: %s", strerror(EIO));
r = -EIO;
goto finish;
}
l = loop_write(fd, state, state_size, false);
if (l < 0 || (size_t) l != state_size) {
log_error("Failed to write state: %s", strerror(EIO));
r = -EIO;
goto finish;
}
if (link(k, p) < 0) {
log_error("Failed to link file: %m");
r = -errno;
goto finish;
}
if (isatty(STDOUT_FILENO)) {
fprintf(stderr,
"\n"
"The new key pair has been generated. The evolving key has been written to the\n"
"following file. It will be used to protect local journal files. This file\n"
"should be kept secret. It should not be used on multiple hosts.\n"
"\n"
"\t%s\n"
"\n"
"Please write down the following " ANSI_HIGHLIGHT_ON "secret" ANSI_HIGHLIGHT_OFF " seed value. It should not be stored\n"
"locally on disk, and may be used to verify journal files from this host.\n"
"\n\t" ANSI_HIGHLIGHT_RED_ON, p);
fflush(stderr);
}
for (i = 0; i < seed_size; i++) {
if (i > 0 && i % 3 == 0)
putchar('-');
printf("%02x", ((uint8_t*) seed)[i]);
}
printf("/%llx-%llx\n", (unsigned long long) n, (unsigned long long) arg_evolve);
if (isatty(STDOUT_FILENO))
fputs(ANSI_HIGHLIGHT_OFF "\n", stderr);
r = 0;
finish:
if (fd >= 0)
close_nointr_nofail(fd);
if (k) {
unlink(k);
free(k);
}
free(p);
return r;
#else
log_error("Forward-secure journal verification not available.");
#endif
}
static int verify(sd_journal *j) {
int r = 0;
Iterator i;
JournalFile *f;
assert(j);
HASHMAP_FOREACH(f, j->files, i) {
int k;
#ifdef HAVE_GCRYPT
if (!arg_verify_seed && journal_file_fsprg_enabled(f))
log_warning("Journal file %s has authentication enabled but verification seed has not been passed using --verify-seed=.", f->path);
#endif
k = journal_file_verify(f, arg_verify_seed);
if (k == -EINVAL) {
/* If the seed was invalid give up right-away. */
return k;
} else if (k < 0) {
log_warning("FAIL: %s (%s)", f->path, strerror(-k));
r = k;
} else
log_info("PASS: %s", f->path);
}
return r;
}
int main(int argc, char *argv[]) {
int r;
sd_journal *j = NULL;
unsigned line = 0;
bool need_seek = false;
sd_id128_t previous_boot_id;
bool previous_boot_id_valid = false;
bool have_pager;
log_parse_environment();
log_open();
r = parse_argv(argc, argv);
if (r <= 0)
goto finish;
if (arg_action == ACTION_NEW_ID128) {
r = generate_new_id128();
goto finish;
}
if (arg_action == ACTION_SETUP_KEYS) {
r = setup_keys();
goto finish;
}
if (arg_directory)
r = sd_journal_open_directory(&j, arg_directory, 0);
else
r = sd_journal_open(&j, arg_local ? SD_JOURNAL_LOCAL_ONLY : 0);
if (r < 0) {
log_error("Failed to open journal: %s", strerror(-r));
goto finish;
}
if (arg_action == ACTION_VERIFY) {
r = verify(j);
goto finish;
}
if (arg_action == ACTION_PRINT_HEADER) {
journal_print_header(j);
r = 0;
goto finish;
}
#ifdef HAVE_ACL
if (!arg_quiet && geteuid() != 0 && in_group("adm") <= 0)
log_warning("Showing user generated messages only. Users in the group 'adm' can see all messages. Pass -q to turn this message off.");
#endif
r = add_this_boot(j);
if (r < 0)
goto finish;
r = add_matches(j, argv + optind);
if (r < 0)
goto finish;
r = add_priorities(j);
if (r < 0)
goto finish;
if (!arg_quiet) {
usec_t start, end;
char start_buf[FORMAT_TIMESTAMP_MAX], end_buf[FORMAT_TIMESTAMP_MAX];
r = sd_journal_get_cutoff_realtime_usec(j, &start, &end);
if (r < 0) {
log_error("Failed to get cutoff: %s", strerror(-r));
goto finish;
}
if (r > 0) {
if (arg_follow)
printf("Logs begin at %s.\n", format_timestamp(start_buf, sizeof(start_buf), start));
else
printf("Logs begin at %s, end at %s.\n",
format_timestamp(start_buf, sizeof(start_buf), start),
format_timestamp(end_buf, sizeof(end_buf), end));
}
}
if (arg_lines >= 0) {
r = sd_journal_seek_tail(j);
if (r < 0) {
log_error("Failed to seek to tail: %s", strerror(-r));
goto finish;
}
r = sd_journal_previous_skip(j, arg_lines);
} else {
r = sd_journal_seek_head(j);
if (r < 0) {
log_error("Failed to seek to head: %s", strerror(-r));
goto finish;
}
r = sd_journal_next(j);
}
if (r < 0) {
log_error("Failed to iterate through journal: %s", strerror(-r));
goto finish;
}
on_tty();
have_pager = !arg_no_pager && !arg_follow && pager_open();
if (arg_output == OUTPUT_JSON) {
fputc('[', stdout);
fflush(stdout);
}
for (;;) {
for (;;) {
sd_id128_t boot_id;
int flags =
arg_show_all * OUTPUT_SHOW_ALL |
have_pager * OUTPUT_FULL_WIDTH |
on_tty() * OUTPUT_COLOR;
if (need_seek) {
r = sd_journal_next(j);
if (r < 0) {
log_error("Failed to iterate through journal: %s", strerror(-r));
goto finish;
}
}
if (r == 0)
break;
r = sd_journal_get_monotonic_usec(j, NULL, &boot_id);
if (r >= 0) {
if (previous_boot_id_valid &&
!sd_id128_equal(boot_id, previous_boot_id))
printf(ANSI_HIGHLIGHT_ON "----- Reboot -----" ANSI_HIGHLIGHT_OFF "\n");
previous_boot_id = boot_id;
previous_boot_id_valid = true;
}
line ++;
r = output_journal(j, arg_output, line, 0, flags);
if (r < 0)
goto finish;
need_seek = true;
}
if (!arg_follow)
break;
r = sd_journal_wait(j, (uint64_t) -1);
if (r < 0) {
log_error("Couldn't wait for log event: %s", strerror(-r));
goto finish;
}
}
if (arg_output == OUTPUT_JSON)
fputs("\n]\n", stdout);
finish:
if (j)
sd_journal_close(j);
pager_close();
return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}