tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

journal: normalize priority of logging sources The stream event source has a priority of SD_EVENT_PRIORITY_NORMAL+5, and stdout source +10, but the native and syslog event sources are left at the default of 0. As a result, any heavy native or syslog logger can cause starvation of the other loggers. This is trivially demonstrated by running: dd if=/dev/urandom bs=8k | od | systemd-cat & # native spammer systemd-run echo hello & # stream logger journalctl --follow --output=verbose --no-pager --identifier=echo & ... and wait, and wait, the "hello" never comes. Now kill %1, "hello" arrives finally.

selinux: split up mac_selinux_have() from mac_selinux_use() Let's distuingish the cases where our code takes an active role in selinux management, or just passively reports whatever selinux properties are set. mac_selinux_have() now checks whether selinux is around for the passive stuff, and mac_selinux_use() for the active stuff. The latter checks the former, plus also checks UID == 0, under the assumption that only when we run priviliged selinux management really makes sense. Fixes: #1941

journald: never accept fds from file systems with mandatory locking enabled This is pretty much a work-around for a security vulnerability in kernels that allow unprivileged user namespaces. Fixes #1822.

treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.

journal: fix incorrect errno reporting pread() returns -1 on error and sets errno. Do not use the -1 as errno.

util-lib: split out allocation calls into alloc-util.[ch]

io-util.h: move iovec stuff from macro.h to io-util.h

util-lib: move a number of fs operations into fs-util.[ch]

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

tree-wide: update empty-if coccinelle script to cover empty-while and more Let's also clean up single-line while and for blocks.

journal: use (void) to silence coverity This shouldn't really fail and anyway not much we can do about it. CID #996292, #996294, #996295.

journald: prefix exported calls with "server_", unexport unnecessary calls

journald: always allocate space for object fields If OBJECT_PID= came as the last field, we would not reallocate the iovec to bigger size, and fail the assertion later on in dispatch_message_real().

journald: fix off by one in native transport https://bugzilla.redhat.com/show_bug.cgi?id=1177184

util: when using basename() for creating temporary files, verify the resulting name is actually valid Also, rename filename_is_safe() to filename_is_valid(), since it actually does a full validation for what the kernel will accept as file name, it's not just a heuristic.

treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".

treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.

treewide: more log_*_errno + return simplifications

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

journald: constify all things!

memfd: rename memfd.h to memfd-util.h to avoid any confusion with any libc provided headers

memfd: always use our internal utility functions where we have them

journal: when sending huge log messages prefer memfds over temporary files in /dev/shm Previously when a log message grew beyond the maximum AF_UNIX/SOCK_DGRAM datagram limit we'd send an fd to a deleted file in /dev/shm instead. Because the sender could still modify the file after delivery we had to immediately copy the data on the receiving side. With memfds we can optimize this logic, and also remove the dependency on /dev/shm: simply send a sealed memfd around, and if we detect the seal memory map the fd and use it directly.

mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention

journald: remove redundant newlines

journald: properly sum up entry size counter We should read the entry size before moving to the next iovec, not after.

Fix misuse of uint64_t as size_t They have different size on 32 bit, so they are really not interchangable.

Small modernizations

Be more verbose when bind or listen fails Also be more verbose in devnode_acl_all().

Clear up confusion wrt. ENTRY_SIZE_MAX and DATA_SIZE_MAX Define DATA_SIZE_MAX to mean the maximum size of a single field, and ENTRY_SIZE_MAX to mean the size of the whole entry, with some rough calculation of overhead over the payload. Check if entries are not too big when processing native journal messages.

journal: export valid_user_field and size defines In preparation for use elsewhere.

journald: add support for wall forwarding This will let journald forward logs as messages sent to all logged in users (like wall). Two options are added: * ForwardToWall (default yes) * MaxLevelWall (default emerg) 'ForwardToWall' is overridable by kernel command line option 'systemd.journald.forward_to_wall'. This is used to emulate the traditional syslogd behaviour of sending emergency messages to all logged in users.

api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.

journald: port to sd-event and enable watchdog support

security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.

remove hasprefix(), use startswith()

journal: allow callers to specify OBJECT_PID= When journald encounters a message with OBJECT_PID= set coming from a priviledged process (UID==0), additional fields will be added to the message: OBJECT_UID=, OBJECT_GID=, OBJECT_COMM=, OBJECT_EXE=, OBJECT_CMDLINE=, OBJECT_AUDIT_SESSION=, OBJECT_AUDIT_LOGINUID=, OBJECT_SYSTEMD_CGROUP=, OBJECT_SYSTEMD_SESSION=, OBJECT_SYSTEMD_OWNER_UID=, OBJECT_SYSTEMD_UNIT= or OBJECT_SYSTEMD_USER_UNIT=. This is for other logging daemons, like setroubleshoot, to be able to augment their logs with data about the process. https://bugzilla.redhat.com/show_bug.cgi?id=951627

Add hasprefix macro to check prefixes of fixed length

journal: fix off-by-one error in native message iovec counting Thanks to Cristian Ciupitu for a reproducer. https://bugzilla.redhat.com/show_bug.cgi?id=924359

journald: bring max coredump size in sync with max entry size

journal: fix SO_PASSSEC invocation Spotted by Lukas Nykryn

build-sys: store journald code in a noinst library The point is to allow the use of journald functions by other binaries. Before, journald code was split into multiple files (journald-*.[ch]), but all those files all required functions from journald.c. And journald.c has its own main(). Now, it is possible to link against those functions, e.g. from test binaries. This constitutes a fix for https://bugzilla.redhat.com/show_bug.cgi?id=872638. The patch does the following: 1. rename journald.h to journald-server.h and move corresponding code to journald-server.c. 2. add journald-server.c and other journald-*.c parts to libsystemd-journal-internal. 3. remove journald-syslog.c from test_journal_syslog_SOURCES, since it is now contained in libsystemd-journal-internal. There are no code changes, apart from the removal of a few static's, to allow function calls between files.

dbus: add some more safety checks before accepting data from bus clients

journald: only accept fds from certain directories

journald: don't accept arbitrarily sized journal data fields https://bugzilla.redhat.com/show_bug.cgi?id=858746

journald: add missing includes

journald: split off native protocol support into its own .c file