journal: add logging of effective capabilities _CAP_EFFECTIVE

I think this is the most important of the capabilities bitmasks to log.
2025-03-28 02:50:16 +03:00 · 2013-07-15 18:10:56 -07:00 · 2013-07-15 18:10:56 -07:00 · 3a83211689
commit 3a83211689
parent fa7deadb07
5 changed files with 51 additions and 2 deletions
--- a/2
+++ b/2
@ -220,8 +220,6 @@ Features:

 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})

-* we should log capabilities too
-
 * Support SO_REUSEPORT with socket activation:
  - Let systemd maintain a pool of servers.
  - Use for seamless upgrades, by running the new server before stopping the
--- a/man/systemd.journal-fields.xml
+++ b/man/systemd.journal-fields.xml
@ -196,6 +196,15 @@
                                </listitem>
                        </varlistentry>

+                        <varlistentry>
+                                <term><varname>_CAP_EFFECTIVE=</varname></term>
+                                <listitem>
+                                        <para>The effective <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> of
+                                        the process the journal entry
+                                        originates from.</para>
+                                </listitem>
+                        </varlistentry>
+
                        <varlistentry>
                                <term><varname>_AUDIT_SESSION=</varname></term>
                                <term><varname>_AUDIT_LOGINUID=</varname></term>
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@ -578,6 +578,13 @@ static void dispatch_message_real(
                        IOVEC_SET_STRING(iovec[n++], x);
                }

+                r = get_process_capeff(ucred->pid, &t);
+                if (r >= 0) {
+                        x = strappenda("_CAP_EFFECTIVE=", t);
+                        free(t);
+                        IOVEC_SET_STRING(iovec[n++], x);
+                }
+
 #ifdef HAVE_AUDIT
                r = audit_session_from_pid(ucred->pid, &audit);
                if (r >= 0) {
--- a/src/shared/util.c
+++ b/src/shared/util.c
@ -726,6 +726,40 @@ int is_kernel_thread(pid_t pid) {
        return 0;
 }

+int get_process_capeff(pid_t pid, char **capeff) {
+        const char *p;
+        _cleanup_free_ char *status = NULL;
+        char *t = NULL;
+        int r;
+
+        assert(capeff);
+        assert(pid >= 0);
+
+        if (pid == 0)
+                p = "/proc/self/status";
+        else
+                p = procfs_file_alloca(pid, "status");
+
+        r = read_full_file(p, &status, NULL);
+        if (r < 0)
+                return r;
+
+        t = strstr(status, "\nCapEff:\t");
+        if (!t)
+                return -ENOENT;
+
+        for (t += strlen("\nCapEff:\t"); t[0] == '0'; t++)
+                continue;
+
+        if (t[0] == '\n')
+                t--;
+
+        *capeff = strndup(t, strchr(t, '\n') - t);
+        if (!*capeff)
+                return -ENOMEM;
+
+        return 0;
+}

 int get_process_exe(pid_t pid, char **name) {
        const char *p;
--- a/src/shared/util.h
+++ b/src/shared/util.h
@ -210,6 +210,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
 int get_process_exe(pid_t pid, char **name);
 int get_process_uid(pid_t pid, uid_t *uid);
 int get_process_gid(pid_t pid, gid_t *gid);
+int get_process_capeff(pid_t pid, char **capeff);

 char hexchar(int x) _const_;
 int unhexchar(char c) _const_;