On Wed, Apr 15, 2015 at 3:51 AM, Zbigniew Jędrzejewski-Szmek <zbys...@kemper.freedesktop.org> wrote: > src/core/selinux-access.c | 31 ++++++++++++++++++++----- > src/libsystemd/sd-device/device-private.h | 2 - > src/systemctl/systemctl.c | 11 +++++---- > src/udev/udev-builtin-usb_id.c | 36 > +++++++++++------------------- > 4 files changed, 45 insertions(+), 35 deletions(-) > > New commits: > commit 17af49f24812a6dd1b3f0732e33ea5dae9e32b29 > Author: Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> > Date: Mon Feb 23 20:06:00 2015 -0500 > > selinux: use different log priorites for log messages > > When selinux calls our callback with a log message, it specifies the > type as AVC or INFO/WARNING/ERROR. The question is how to map this to > audit types and/or log priorities. SELINUX_AVC maps to AUDIT_USER_AVC > reasonably, but for the other messages we have no idea, hence we use > AUDIT_USER_AVC for everything. When not using audit logging, we can > map those selinux levels to LOG_INFO/WARNING/ERROR etc. > > Also update comment which was not valid anymore in light of journald > sucking in audit logs, and was actually wrong from the beginning — > libselinux uses the callback for everything, not just avcs. > > This stemmed out of https://bugzilla.redhat.com/show_bug.cgi?id=1195330, > but does not solve it. > > diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c > index a8c9a4b..7058b78 100644 > --- a/src/core/selinux-access.c > +++ b/src/core/selinux-access.c > @@ -80,17 +80,33 @@ static int audit_callback( > return 0; > } > > +static int callback_type_to_priority(int type) { > + switch(type) { > + case SELINUX_ERROR: return LOG_ERR; > + case SELINUX_WARNING: return LOG_WARNING; > + case SELINUX_INFO: return LOG_INFO; > + case SELINUX_AVC: > + default: return LOG_NOTICE; > + } > +} > + > /* > - Any time an access gets denied this callback will be called > - code copied from dbus. If audit is turned on the messages will go as > - user_avc's into the /var/log/audit/audit.log, otherwise they will be > - sent to syslog. > + libselinux uses this callback when access gets denied or other > + events happen. If audit is turned on, messages will be reported > + using audit netlink, otherwise they will be logged using the usual > + channels. > + > + Code copied from dbus and modified. > */ > _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { > va_list ap; > > #ifdef HAVE_AUDIT > - if (get_audit_fd() >= 0) { > + int fd; > + > + fd = get_audit_fd(); > + > + if (fd >= 0) { > _cleanup_free_ char *buf = NULL; > int r; > > @@ -99,14 +115,15 @@ _printf_(2, 3) static int log_callback(int type, const > char *fmt, ...) { > va_end(ap); > > if (r >= 0) { > - audit_log_user_avc_message(get_audit_fd(), > AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0); > + audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, > NULL, NULL, NULL, 0); > return 0; > } > } > #endif > > va_start(ap, fmt); > - log_internalv(LOG_AUTH | LOG_INFO, 0, __FILE__, __LINE__, > __FUNCTION__, fmt, ap); > + log_internalv(LOG_AUTH | callback_type_to_priority(type), > + 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap); > va_end(ap); > > return 0; > > commit 40acc203c043fd419f3c045dc6f116c3a28411d8 > Author: Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> > Date: Tue Apr 14 20:47:20 2015 -0500 > > systemctl: avoid bumping NOFILE rlimit unless needed > > We actually only use the journal when showing status. Move setrlimit call > so it is only called for status. > > https://bugzilla.redhat.com/show_bug.cgi?id=1184712 > > diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c > index 75d709d..4e702fb 100644 > --- a/src/systemctl/systemctl.c > +++ b/src/systemctl/systemctl.c > @@ -4466,6 +4466,12 @@ static int show(sd_bus *bus, char **args) { > if (show_properties) > pager_open_if_enabled(); > > + if (show_status) > + /* Increase max number of open files to 16K if we can, we > + * might needs this when browsing journal files, which might > + * be split up into many files. */ > + setrlimit_closest(RLIMIT_NOFILE, &RLIMIT_MAKE_CONST(16384)); > + > /* If no argument is specified inspect the manager itself */ > > if (show_properties && strv_length(args) <= 1) > @@ -7164,11 +7170,6 @@ found: > } > } > > - /* Increase max number of open files to 16K if we can, we > - * might needs this when browsing journal files, which might > - * be split up into many files. */ > - setrlimit_closest(RLIMIT_NOFILE, &RLIMIT_MAKE_CONST(16384)); > - > return verb->dispatch(bus, argv + optind); > } > > > commit 813a71a206f9f8dc7f824299e94404f8bfdafd91 > Author: Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> > Date: Tue Apr 14 12:39:40 2015 -0400 > > sd-device: fix typo > > diff --git a/src/libsystemd/sd-device/device-private.h > b/src/libsystemd/sd-device/device-private.h > index 7c6219c..f252481 100644 > --- a/src/libsystemd/sd-device/device-private.h > +++ b/src/libsystemd/sd-device/device-private.h > @@ -37,7 +37,7 @@ void device_set_is_initialized(sd_device *device); > void device_set_watch_handle(sd_device *device, int fd); > void device_set_db_persist(sd_device *device); > void device_set_devlink_priority(sd_device *device, int priority); > -int device_ensure_usec_initialized(sd_device *devcie, sd_device *device_old); > +int device_ensure_usec_initialized(sd_device *device, sd_device *device_old); > int device_add_devlink(sd_device *device, const char *devlink); > int device_add_property(sd_device *device, const char *property, const char > *value); > int device_add_tag(sd_device *device, const char *tag); > > commit 4beac74e69f87c2c8d13c10326a075b9b9ece501 > Author: Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> > Date: Mon Apr 6 15:42:18 2015 -0400 > > udev-builtin-usb_id: simplification > > diff --git a/src/udev/udev-builtin-usb_id.c b/src/udev/udev-builtin-usb_id.c > index 25ae032..9418a6b 100644 > --- a/src/udev/udev-builtin-usb_id.c > +++ b/src/udev/udev-builtin-usb_id.c > @@ -229,17 +229,17 @@ static int dev_if_packed_info(struct udev_device *dev, > char *ifs_str, size_t len > * is concatenated with the identification with an underscore '_'. > */ > static int builtin_usb_id(struct udev_device *dev, int argc, char *argv[], > bool test) { > - char vendor_str[64]; > + char vendor_str[64] = ""; > char vendor_str_enc[256]; > const char *vendor_id; > - char model_str[64]; > + char model_str[64] = ""; > char model_str_enc[256]; > const char *product_id; > - char serial_str[UTIL_NAME_SIZE]; > - char packed_if_str[UTIL_NAME_SIZE]; > - char revision_str[64]; > - char type_str[64]; > - char instance_str[64]; > + char serial_str[UTIL_NAME_SIZE] = ""; > + char packed_if_str[UTIL_NAME_SIZE] = ""; > + char revision_str[64] = ""; > + char type_str[64] = ""; > + char instance_str[64] = ""; > const char *ifnum = NULL; > const char *driver = NULL; > char serial[256]; > @@ -252,14 +252,6 @@ static int builtin_usb_id(struct udev_device *dev, int > argc, char *argv[], bool > size_t l; > char *s; > > - vendor_str[0] = '\0'; > - model_str[0] = '\0'; > - serial_str[0] = '\0'; > - packed_if_str[0] = '\0'; > - revision_str[0] = '\0'; > - type_str[0] = '\0'; > - instance_str[0] = '\0'; > - > /* shortcut, if we are called directly for a "usb_device" type */ > if (udev_device_get_devtype(dev) != NULL && > streq(udev_device_get_devtype(dev), "usb_device")) { > dev_if_packed_info(dev, packed_if_str, > sizeof(packed_if_str)); > @@ -310,7 +302,7 @@ static int builtin_usb_id(struct udev_device *dev, int > argc, char *argv[], bool > dev_if_packed_info(dev_usb, packed_if_str, sizeof(packed_if_str)); > > /* mass storage : SCSI or ATAPI */ > - if ((protocol == 6 || protocol == 2)) { > + if (protocol == 6 || protocol == 2) { > struct udev_device *dev_scsi; > const char *scsi_model, *scsi_vendor, *scsi_type, *scsi_rev; > int host, bus, target, lun; > @@ -438,10 +430,10 @@ fallback: > > s = serial; > l = strpcpyl(&s, sizeof(serial), vendor_str, "_", model_str, NULL); > - if (serial_str[0] != '\0') > + if (isempty(serial_str))
You changed the condition, it is: if (!isempty(serial_str)) And the same for the others below. > l = strpcpyl(&s, l, "_", serial_str, NULL); > > - if (instance_str[0] != '\0') > + if (isempty(instance_str)) > strpcpyl(&s, l, "-", instance_str, NULL); > > udev_builtin_add_property(dev, test, "ID_VENDOR", vendor_str); > @@ -452,14 +444,14 @@ fallback: > udev_builtin_add_property(dev, test, "ID_MODEL_ID", product_id); > udev_builtin_add_property(dev, test, "ID_REVISION", revision_str); > udev_builtin_add_property(dev, test, "ID_SERIAL", serial); > - if (serial_str[0] != '\0') > + if (isempty(serial_str)) > udev_builtin_add_property(dev, test, "ID_SERIAL_SHORT", > serial_str); > - if (type_str[0] != '\0') > + if (isempty(type_str)) > udev_builtin_add_property(dev, test, "ID_TYPE", type_str); > - if (instance_str[0] != '\0') > + if (isempty(instance_str)) > udev_builtin_add_property(dev, test, "ID_INSTANCE", > instance_str); > udev_builtin_add_property(dev, test, "ID_BUS", "usb"); > - if (packed_if_str[0] != '\0') > + if (isempty(packed_if_str)) > udev_builtin_add_property(dev, test, "ID_USB_INTERFACES", > packed_if_str); > if (ifnum != NULL) > udev_builtin_add_property(dev, test, "ID_USB_INTERFACE_NUM", > ifnum); > > > _______________________________________________ > systemd-commits mailing list > systemd-comm...@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-commits > _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
