X-Git-Url: http://git.efficios.com/?p=lttng-tools.git;a=blobdiff_plain;f=lttng-sessiond%2Fmain.c;h=ff8ec1fcdb35842b70849de4cf0f701841dbb886;hp=dc43edb4d30a905e6c403c69b9fc3a35b1b7901c;hb=daf282ab93462198c6acd16b4aa624635df1bea5;hpb=f56a39affe149956ac64b399859952e9586de930 diff --git a/lttng-sessiond/main.c b/lttng-sessiond/main.c index dc43edb4d..ff8ec1fcd 100644 --- a/lttng-sessiond/main.c +++ b/lttng-sessiond/main.c @@ -43,13 +43,14 @@ #include #include +#include #include "channel.h" #include "compat/poll.h" #include "context.h" #include "event.h" #include "futex.h" -#include "hashtable.h" +#include "../common/hashtable.h" #include "kernel.h" #include "lttng-sessiond.h" #include "shm.h" @@ -512,7 +513,8 @@ static void clean_command_ctx(struct command_ctx **cmd_ctx) * Send all stream fds of kernel channel to the consumer. */ static int send_kconsumer_channel_streams(struct consumer_data *consumer_data, - int sock, struct ltt_kernel_channel *channel) + int sock, struct ltt_kernel_channel *channel, + uid_t uid, gid_t gid) { int ret; struct ltt_kernel_stream *stream; @@ -544,6 +546,8 @@ static int send_kconsumer_channel_streams(struct consumer_data *consumer_data, lkm.u.stream.state = stream->state; lkm.u.stream.output = channel->channel->attr.output; lkm.u.stream.mmap_len = 0; /* for kernel */ + lkm.u.stream.uid = uid; + lkm.u.stream.gid = gid; strncpy(lkm.u.stream.path_name, stream->pathname, PATH_MAX - 1); lkm.u.stream.path_name[PATH_MAX - 1] = '\0'; DBG("Sending stream %d to consumer", lkm.u.stream.stream_key); @@ -605,6 +609,8 @@ static int send_kconsumer_session_streams(struct consumer_data *consumer_data, lkm.u.stream.state = LTTNG_CONSUMER_ACTIVE_STREAM; lkm.u.stream.output = DEFAULT_KERNEL_CHANNEL_OUTPUT; lkm.u.stream.mmap_len = 0; /* for kernel */ + lkm.u.stream.uid = session->uid; + lkm.u.stream.gid = session->gid; strncpy(lkm.u.stream.path_name, session->metadata->pathname, PATH_MAX - 1); lkm.u.stream.path_name[PATH_MAX - 1] = '\0'; DBG("Sending metadata stream %d to consumer", lkm.u.stream.stream_key); @@ -621,7 +627,8 @@ static int send_kconsumer_session_streams(struct consumer_data *consumer_data, } cds_list_for_each_entry(chan, &session->channel_list.head, list) { - ret = send_kconsumer_channel_streams(consumer_data, sock, chan); + ret = send_kconsumer_channel_streams(consumer_data, sock, chan, + session->uid, session->gid); if (ret < 0) { goto error; } @@ -777,7 +784,8 @@ static int update_kernel_stream(struct consumer_data *consumer_data, int fd) */ if (session->kernel_session->consumer_fds_sent == 1) { ret = send_kconsumer_channel_streams(consumer_data, - session->kernel_session->consumer_fd, channel); + session->kernel_session->consumer_fd, channel, + session->uid, session->gid); if (ret < 0) { goto error; } @@ -1737,7 +1745,7 @@ static int mount_debugfs(char *path) int ret; char *type = "debugfs"; - ret = mkdir_recursive(path, S_IRWXU | S_IRWXG, geteuid(), getegid()); + ret = mkdir_recursive_run_as(path, S_IRWXU | S_IRWXG, geteuid(), getegid()); if (ret < 0) { PERROR("Cannot create debugfs path"); goto error; @@ -1871,12 +1879,10 @@ error: * Create an UST session and add it to the session ust list. */ static int create_ust_session(struct ltt_session *session, - struct lttng_domain *domain, struct ucred *creds) + struct lttng_domain *domain) { - int ret; - unsigned int sess_uid; - gid_t gid; struct ltt_ust_session *lus = NULL; + int ret; switch (domain->type) { case LTTNG_DOMAIN_UST: @@ -1888,23 +1894,14 @@ static int create_ust_session(struct ltt_session *session, DBG("Creating UST session"); - sess_uid = session->uid; - lus = trace_ust_create_session(session->path, sess_uid, domain); + lus = trace_ust_create_session(session->path, session->id, domain); if (lus == NULL) { ret = LTTCOMM_UST_SESS_FAIL; goto error; } - /* - * Get the right group ID. To use the tracing group, the daemon must be - * running with root credentials or else it's the user GID used. - */ - gid = allowed_group(); - if (gid < 0 || !is_root) { - gid = creds->gid; - } - - ret = mkdir_recursive(lus->pathname, S_IRWXU | S_IRWXG, creds->uid, gid); + ret = mkdir_recursive_run_as(lus->pathname, S_IRWXU | S_IRWXG, + session->uid, session->gid); if (ret < 0) { if (ret != -EEXIST) { ERR("Trace directory creation error"); @@ -1922,6 +1919,8 @@ static int create_ust_session(struct ltt_session *session, ERR("Unknown UST domain on create session %d", domain->type); goto error; } + lus->uid = session->uid; + lus->gid = session->gid; session->ust_session = lus; return LTTCOMM_OK; @@ -1934,11 +1933,9 @@ error: /* * Create a kernel tracer session then create the default channel. */ -static int create_kernel_session(struct ltt_session *session, - struct ucred *creds) +static int create_kernel_session(struct ltt_session *session) { int ret; - gid_t gid; DBG("Creating kernel session"); @@ -1953,28 +1950,55 @@ static int create_kernel_session(struct ltt_session *session, session->kernel_session->consumer_fd = kconsumer_data.cmd_sock; } - gid = allowed_group(); - if (gid < 0) { - /* - * Use GID 0 has a fallback since kernel session is only allowed under - * root or the gid of the calling user - */ - is_root ? (gid = 0) : (gid = creds->gid); - } - - ret = mkdir_recursive(session->kernel_session->trace_path, - S_IRWXU | S_IRWXG, creds->uid, gid); + ret = mkdir_recursive_run_as(session->kernel_session->trace_path, + S_IRWXU | S_IRWXG, session->uid, session->gid); if (ret < 0) { if (ret != -EEXIST) { ERR("Trace directory creation error"); goto error; } } + session->kernel_session->uid = session->uid; + session->kernel_session->gid = session->gid; error: return ret; } +/* + * Check if the UID or GID match the session. Root user has access to + * all sessions. + */ +static int session_access_ok(struct ltt_session *session, + uid_t uid, gid_t gid) +{ + if (uid != session->uid && gid != session->gid + && uid != 0) { + return 0; + } else { + return 1; + } +} + +static unsigned int lttng_sessions_count(uid_t uid, gid_t gid) +{ + unsigned int i = 0; + struct ltt_session *session; + + DBG("Counting number of available session for UID %d GID %d", + uid, gid); + cds_list_for_each_entry(session, &session_list_ptr->head, list) { + /* + * Only list the sessions the user can control. + */ + if (!session_access_ok(session, uid, gid)) { + continue; + } + i++; + } + return i; +} + /* * Using the session list, filled a lttng_session array to send back to the * client for session listing. @@ -1982,17 +2006,25 @@ error: * The session list lock MUST be acquired before calling this function. Use * session_lock_list() and session_unlock_list(). */ -static void list_lttng_sessions(struct lttng_session *sessions) +static void list_lttng_sessions(struct lttng_session *sessions, + uid_t uid, gid_t gid) { - int i = 0; + unsigned int i = 0; struct ltt_session *session; - DBG("Getting all available session"); + DBG("Getting all available session for UID %d GID %d", + uid, gid); /* * Iterate over session list and append data after the control struct in * the buffer. */ cds_list_for_each_entry(session, &session_list_ptr->head, list) { + /* + * Only list the sessions the user can control. + */ + if (!session_access_ok(session, uid, gid)) { + continue; + } strncpy(sessions[i].path, session->path, PATH_MAX); sessions[i].path[PATH_MAX - 1] = '\0'; strncpy(sessions[i].name, session->name, NAME_MAX); @@ -2936,11 +2968,11 @@ error: /* * Command LTTNG_CREATE_SESSION processed by the client thread. */ -static int cmd_create_session(char *name, char *path) +static int cmd_create_session(char *name, char *path, struct ucred *creds) { int ret; - ret = session_create(name, path); + ret = session_create(name, path, creds->uid, creds->gid); if (ret != LTTCOMM_OK) { goto error; } @@ -3254,7 +3286,7 @@ static int process_client_msg(struct command_ctx *cmd_ctx) /* Need a session for kernel command */ if (need_tracing_session) { if (cmd_ctx->session->kernel_session == NULL) { - ret = create_kernel_session(cmd_ctx->session, &cmd_ctx->creds); + ret = create_kernel_session(cmd_ctx->session); if (ret < 0) { ret = LTTCOMM_KERN_SESS_FAIL; goto error; @@ -3281,7 +3313,7 @@ static int process_client_msg(struct command_ctx *cmd_ctx) if (need_tracing_session) { if (cmd_ctx->session->ust_session == NULL) { ret = create_ust_session(cmd_ctx->session, - &cmd_ctx->lsm->domain, &cmd_ctx->creds); + &cmd_ctx->lsm->domain); if (ret != LTTCOMM_OK) { goto error; } @@ -3326,6 +3358,18 @@ static int process_client_msg(struct command_ctx *cmd_ctx) break; } + /* + * Check that the UID or GID match that of the tracing session. + * The root user can interact with all sessions. + */ + if (need_tracing_session) { + if (!session_access_ok(cmd_ctx->session, + cmd_ctx->creds.uid, cmd_ctx->creds.gid)) { + ret = LTTCOMM_EPERM; + goto error; + } + } + /* Process by command type */ switch (cmd_ctx->lsm->cmd_type) { case LTTNG_ADD_CONTEXT: @@ -3423,7 +3467,7 @@ static int process_client_msg(struct command_ctx *cmd_ctx) case LTTNG_CREATE_SESSION: { ret = cmd_create_session(cmd_ctx->lsm->session.name, - cmd_ctx->lsm->session.path); + cmd_ctx->lsm->session.path, &cmd_ctx->creds); break; } case LTTNG_DESTROY_SESSION: @@ -3511,23 +3555,24 @@ static int process_client_msg(struct command_ctx *cmd_ctx) } case LTTNG_LIST_SESSIONS: { - session_lock_list(); + unsigned int nr_sessions; - if (session_list_ptr->count == 0) { + session_lock_list(); + nr_sessions = lttng_sessions_count(cmd_ctx->creds.uid, cmd_ctx->creds.gid); + if (nr_sessions == 0) { ret = LTTCOMM_NO_SESSION; session_unlock_list(); goto error; } - - ret = setup_lttng_msg(cmd_ctx, sizeof(struct lttng_session) * - session_list_ptr->count); + ret = setup_lttng_msg(cmd_ctx, sizeof(struct lttng_session) * nr_sessions); if (ret < 0) { session_unlock_list(); goto setup_error; } /* Filled the session array */ - list_lttng_sessions((struct lttng_session *)(cmd_ctx->llm->payload)); + list_lttng_sessions((struct lttng_session *)(cmd_ctx->llm->payload), + cmd_ctx->creds.uid, cmd_ctx->creds.gid); session_unlock_list();