static void test_have_effective_cap(void) {
assert_se(have_effective_cap(CAP_KILL));
assert_se(have_effective_cap(CAP_CHOWN));
assert_se(drop_privileges(test_uid, test_gid, test_flags | (1ULL << CAP_KILL)) >= 0);
assert_se(getuid() == test_uid);
assert_se(getgid() == test_gid);
assert_se(have_effective_cap(CAP_KILL));
assert_se(!have_effective_cap(CAP_CHOWN));
}
int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
char *s;
uid_t u;
int r;
assert(uid);
/* Only use audit login uid if we are executed with sufficient
* capabilities so that pam_loginuid could do its job. If we
* are lacking the CAP_AUDIT_CONTROL capabality we most likely
* are being run in a container and /proc/self/loginuid is
* useless since it probably contains a uid of the host
* system. */
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
/* Audit doesn't support containers right now */
if (detect_container(NULL) > 0)
return -ENOTSUP;
if (pid == 0)
r = read_one_line_file("/proc/self/loginuid", &s);
else {
char *p;
if (asprintf(&p, "/proc/%lu/loginuid", (unsigned long) pid) < 0)
return -ENOMEM;
r = read_one_line_file(p, &s);
free(p);
}
if (r < 0)
return r;
r = parse_uid(s, &u);
free(s);
if (r < 0)
return r;
if (u == (uid_t) -1)
return -ENOENT;
*uid = (uid_t) u;
return 0;
}
int audit_session_from_pid(pid_t pid, uint32_t *id) {
char *s;
uint32_t u;
int r;
assert(id);
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
/* Audit doesn't support containers right now */
if (detect_container(NULL) > 0)
return -ENOTSUP;
if (pid == 0)
r = read_one_line_file("/proc/self/sessionid", &s);
else {
char *p;
if (asprintf(&p, "/proc/%lu/sessionid", (unsigned long) pid) < 0)
return -ENOMEM;
r = read_one_line_file(p, &s);
free(p);
}
if (r < 0)
return r;
r = safe_atou32(s, &u);
free(s);
if (r < 0)
return r;
if (u == (uint32_t) -1 || u <= 0)
return -ENOENT;
*id = u;
return 0;
}
int get_audit_fd(void) {
if (!initialized) {
if (have_effective_cap(CAP_AUDIT_WRITE) == 0) {
audit_fd = -EPERM;
initialized = true;
return audit_fd;
}
audit_fd = audit_open();
if (audit_fd < 0) {
if (!IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
log_error_errno(errno, "Failed to connect to audit log: %m");
audit_fd = errno ? -errno : -EINVAL;
}
initialized = true;
}
return audit_fd;
}
int kmod_setup(void) {
#ifdef HAVE_KMOD
static const struct {
const char *module;
const char *path;
bool warn_if_unavailable:1;
bool warn_if_module:1;
bool (*condition_fn)(void);
} kmod_table[] = {
/* auto-loading on use doesn't work before udev is up */
{ "autofs4", "/sys/class/misc/autofs", true, false, NULL },
/* early configure of ::1 on the loopback device */
{ "ipv6", "/sys/module/ipv6", false, true, NULL },
/* this should never be a module */
{ "unix", "/proc/net/unix", true, true, NULL },
/* IPC is needed before we bring up any other services */
{ "kdbus", "/sys/fs/kdbus", false, false, is_kdbus_wanted },
#ifdef HAVE_LIBIPTC
/* netfilter is needed by networkd, nspawn among others, and cannot be autoloaded */
{ "ip_tables", "/proc/net/ip_tables_names", false, false, NULL },
#endif
};
struct kmod_ctx *ctx = NULL;
unsigned int i;
int r;
if (have_effective_cap(CAP_SYS_MODULE) == 0)
return 0;
for (i = 0; i < ELEMENTSOF(kmod_table); i++) {
struct kmod_module *mod;
if (kmod_table[i].path && access(kmod_table[i].path, F_OK) >= 0)
continue;
if (kmod_table[i].condition_fn && !kmod_table[i].condition_fn())
continue;
if (kmod_table[i].warn_if_module)
log_debug("Your kernel apparently lacks built-in %s support. Might be "
"a good idea to compile it in. We'll now try to work around "
"this by loading the module...", kmod_table[i].module);
if (!ctx) {
ctx = kmod_new(NULL, NULL);
if (!ctx)
return log_oom();
kmod_set_log_fn(ctx, systemd_kmod_log, NULL);
kmod_load_resources(ctx);
}
r = kmod_module_new_from_name(ctx, kmod_table[i].module, &mod);
if (r < 0) {
log_error("Failed to lookup module '%s'", kmod_table[i].module);
continue;
}
r = kmod_module_probe_insert_module(mod, KMOD_PROBE_APPLY_BLACKLIST, NULL, NULL, NULL, NULL);
if (r == 0)
log_debug("Inserted module '%s'", kmod_module_get_name(mod));
else if (r == KMOD_PROBE_APPLY_BLACKLIST)
log_info("Module '%s' is blacklisted", kmod_module_get_name(mod));
else {
bool print_warning = kmod_table[i].warn_if_unavailable || (r < 0 && r != -ENOENT);
log_full_errno(print_warning ? LOG_WARNING : LOG_DEBUG, r,
"Failed to insert module '%s': %m", kmod_module_get_name(mod));
}
kmod_module_unref(mod);
}
if (ctx)
kmod_unref(ctx);
#endif
return 0;
}
static int create_item(Item *i) {
int r, e;
mode_t u;
struct stat st;
assert(i);
switch (i->type) {
case IGNORE_PATH:
case IGNORE_DIRECTORY_PATH:
case REMOVE_PATH:
case RECURSIVE_REMOVE_PATH:
return 0;
case CREATE_FILE:
case TRUNCATE_FILE:
r = write_one_file(i, i->path);
if (r < 0)
return r;
break;
case WRITE_FILE:
r = glob_item(i, write_one_file);
if (r < 0)
return r;
break;
case TRUNCATE_DIRECTORY:
case CREATE_DIRECTORY:
u = umask(0);
mkdir_parents_label(i->path, 0755);
r = mkdir(i->path, i->mode);
umask(u);
if (r < 0 && errno != EEXIST) {
log_error("Failed to create directory %s: %m", i->path);
return -errno;
}
if (stat(i->path, &st) < 0) {
log_error("stat(%s) failed: %m", i->path);
return -errno;
}
if (!S_ISDIR(st.st_mode)) {
log_error("%s is not a directory.", i->path);
return -EEXIST;
}
r = item_set_perms(i, i->path);
if (r < 0)
return r;
break;
case CREATE_FIFO:
u = umask(0);
r = mkfifo(i->path, i->mode);
umask(u);
if (r < 0 && errno != EEXIST) {
log_error("Failed to create fifo %s: %m", i->path);
return -errno;
}
if (stat(i->path, &st) < 0) {
log_error("stat(%s) failed: %m", i->path);
return -errno;
}
if (!S_ISFIFO(st.st_mode)) {
log_error("%s is not a fifo.", i->path);
return -EEXIST;
}
r = item_set_perms(i, i->path);
if (r < 0)
return r;
break;
case CREATE_SYMLINK: {
char *x;
label_context_set(i->path, S_IFLNK);
r = symlink(i->argument, i->path);
e = errno;
label_context_clear();
errno = e;
if (r < 0 && errno != EEXIST) {
log_error("symlink(%s, %s) failed: %m", i->argument, i->path);
return -errno;
}
r = readlink_malloc(i->path, &x);
if (r < 0) {
log_error("readlink(%s) failed: %s", i->path, strerror(-r));
return -errno;
}
if (!streq(i->argument, x)) {
free(x);
log_error("%s is not the right symlinks.", i->path);
return -EEXIST;
}
free(x);
break;
}
case CREATE_BLOCK_DEVICE:
case CREATE_CHAR_DEVICE: {
mode_t file_type;
if (have_effective_cap(CAP_MKNOD) == 0) {
/* In a container we lack CAP_MKNOD. We
shouldnt attempt to create the device node in
that case to avoid noise, and we don't support
virtualized devices in containers anyway. */
log_debug("We lack CAP_MKNOD, skipping creation of device node %s.", i->path);
return 0;
}
file_type = (i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR);
u = umask(0);
label_context_set(i->path, file_type);
r = mknod(i->path, i->mode | file_type, i->major_minor);
e = errno;
label_context_clear();
umask(u);
errno = e;
if (r < 0 && errno != EEXIST) {
log_error("Failed to create device node %s: %m", i->path);
return -errno;
}
if (stat(i->path, &st) < 0) {
log_error("stat(%s) failed: %m", i->path);
return -errno;
}
if ((st.st_mode & S_IFMT) != file_type) {
log_error("%s is not a device node.", i->path);
return -EEXIST;
}
r = item_set_perms(i, i->path);
if (r < 0)
return r;
break;
}
case RELABEL_PATH:
r = glob_item(i, item_set_perms);
if (r < 0)
return 0;
break;
case RECURSIVE_RELABEL_PATH:
r = glob_item(i, recursive_relabel);
if (r < 0)
return r;
}
log_debug("%s created successfully.", i->path);
return 0;
}
